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Abstract. This paper investigates what is essentially a call-by-value version of PCF un- 
der a complexity-theoretically motivated type system. The programming formalism, ATR, 
has its first-order programs characterize the polynomial-time computable functions, and 
its second-order programs characterize the type-2 basic feasible functionals of Mehlhorn 
and of Cook and Urquhart. (The ATR-types are confined to levels 0, 1, and 2.) The 
type system comes in two parts, one that primarily restricts the sizes of values of expres- 
sions and a second that primarily restricts the time required to evaluate expressions. The 
size-restricted part is motivated by Bellantoni and Cook's and Leivant's implicit charac- 
terizations of polynomial-time. The time-restricting part is an affine version of Barber 
and Plotkin's DILL. Two semantics are constructed for ATR. The first is a pruning of 
the naive denotational semantics for ATR. This pruning removes certain functions that 
cause otherwise feasible forms of recursion to go wrong. The second semantics is a model 
for ATR's time complexity relative to a certain abstract machine. This model provides 
a setting for complexity recurrences arising from ATR recursions, the solutions of which 
yield second-order polynomial time bounds. The time-complexity semantics is also shown 
to be sound relative to the costs of interpretation on the abstract machine. 



1. Introduction 

A Lisp programmer knows the value of everything, but the cost of nothing. 

— Alan Perils 

Perils' quip Is an overstatement — but not by much. Programmers In functional (and object- 
oriented) languages have few tools for reasoning about the efficiency of their programs. 
Almost all tools from traditional analysis of algorithms are targeted toward roughly the 
first-order fragment of C. What tools there are from formal methods are Interesting, but 
piecemeal and preliminary. 

2000 ACM Subject Classification: F.3.3, F.1.3, F.3.2. 

Key words and phrases: type systems, compositional semantics, implicit computational complexity, 
higher-type computation, basic feasible functionals. 

LOGICAL METHODS © N. Danner and J. S. Royer 

IN COMPUTER SCIENCE DOI:10.2168/LMCS-3 (1 :9) 2007 © CreativeCommons 




2 



N. DANNER AND J. S. ROYER 



This paper is an effort to fill in part of the puzzle of how to reason about the ef- 
ficiency of programs that involve higher types. Our approach is, roughly, to take PCF 
and its conventional denotational semantics [PloTTj IWin9 3] and, using types, restrict the 
language and its semantics to obtain a higher-type "feasible fragment" of both PCF and 
the PCF computable functions. Our notion of higher-type feasibility is based on the ba- 
sic feasible functionals (BFFs) |CU931 IMeh76| , a higher- type analogue of polynomial-time 
computability, and Kapron and Cook's |KC96 ] machine-based characterization of the type- 
level 2 BFFso Using a higher-type notion of computational complexity as the basis of our 
work provides a connection to the basic notions and tools of traditional analysis of algo- 
rithms (and their lifts to higher types). Using types to enforce feasibility constraints on 
PCF provides a connection to much of the central work in formal methods. 

Our approach is in contrast to the work of [BNSOOl IHof03l ILM93] which also involves 
higher-type languages and types that guarantee feasibility. Those programming formalisms 
are feasible in the sense that they have polynomial-time normalization properties and that 
the type-level 1 functions expressible by these systems are guaranteed to be (ordinary) 
polynomial-time computable. The higher-type constructions of these formalisms are essen- 
tially aides for type-level 1 polynomial-time programming. As of this writing, there is scant 
analysis of what higher-type functions these systems compute0 

For a simple example of a feasible higher-type function, consider C: (N — > N) — > (N — > 
N) — 5- (N ^ N) with Cfg = fog. (^Convention: N is always interpreted as {0,1}*, 
i.e., 0-1-strings.) In our setting, a reasonable implementation of C has a run-time bound 
that is a second-order polynomial (see ^2.12p in the complexities of arbitrary / and g; in 
particular, if / and g are polynomial-time computable, so is C / g. Such a combinator C 
can be considered as part of the "feasible glue" of a programming environment — when used 
with other components, its complexity contribution is (higher-type) polynomially-bounded 
in terms of the complexity of the other components and the combined complexity can be 
expressed in a natural, compositional way. More elaborate examples of feasible functionals 
include many of the deterministic black-box constructions from cryptography. Chapter 3 
in Goldreich [Gol01| has detailed examples, but a typical such construct takes one pseudo- 
random generator, g, and builds another, g, with better cryptographic properties but with 
not much worse complexity properties than the original g. Note that these g^s and ^'s may 
be feasible only in a probabilistic- or circuit-complexity sensell 

While our notion of feasibility is based on the BFFs, our semantic models allow our 
formalism to compute more than just the standard BFFs. For example, consider prn: (N ^ 

"'^Mehlhorn |Meh76] originally discovered the class of type-2 BFFs in the mid-1970s. Later Cook and 
Urquhart [CU93) independently discovered this class and extended it to all finite types over the full set- 
theoretic hierarchy. N.B. If one restricts attention to continuous models, then starting at type-level 3 there 
are alternative notions of "higher-type polynomial-time" [IKR02] . Dealing with type-level 3 and above 
involves some knotty semantic and complexity-theoretic issues beyond the scope of this paper, hence our 
restriction of ATR types to orders 2 and below. 

^The work of [BNSOOl IHof03) and of this paper sit on different sides of an important divide in higher- 
type computability between notions of computation over computable data (e.g., [BNSOOl IHof03l rLM93) ) and 
notions of computation over continuous data (e.g., this paper) Lon04, Lon05 . 

*^See [KC96I IIKR01| for a more extensive justification that the BFFs provide a sensible type-2 analogue 
of the polynomial-time computable functions. 
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N ^ N) ^ N ^ N with: 

prn / e — > fee. 
prn/(aey) — > / (ae y) (prn / y). 

{Conventions: © denotes string concatenation and a G { 0, 1 }.) So, prn is a version of Cob- 
ham's |Cob65] primitive recursion on notation (or alternatively, a string- variant of foldr). 
It is well-known that prn is not a BFF: starting with polynomial-time primitives, prn can be 
used to define any primitive recursive function. However as Cobham noted, if one modifies 
(jl.ip by adding the side-condition: 

{^Pf, a polynomial) (Vx)[ I prn f x\ <Pf{\x\)], 

this modified prn produces definitions of just polynomial-time computable functions from 
polynomial-time computable primitives. Bellantoni and Cook [BC92| showed how get rid of 
explicit use of such a side condition through what amounts to a typing discipline. However, 
their approach (which has been in large part adopted by the implicit computational com- 
plexity community, see Hofmann's survey [HofOOj ) . requires that prn be a "special form" 
and that the / in (jl.ip must be ultimately given by a purely syntactic definition. We, on 
the other hand, want to be able to define prn within ATR (see Figure [T3]l and have the 
definition's meaning given by a conventional, higher-type denotational semantics. We thus 
use Bellantoni and Cook's |BC92j (and Leivant's |Lei95] ) ideas in both syntactic and se- 
mantic contexts. That is, we extract the growth-rate bounds implicit in the aforementioned 
systems, extend these bounds to higher types, and create a type system, programming lan- 
guage, and semantic models that work to enforce these bounds. As a consequence, we can 
define prn (with a particular typing) and be assured that, whether the / corresponds to 
a purely syntactic term or to the interpretation a free variable, prn will not go wrong by 
producing something of huge complexity. The language and its model thus implicitly in- 
corporate side-conditions on growth via types@ Handling constructs like prn as first class 
functions is important because programmers care more about such combinators than about 
most any standard BFF. 

Outline. Our ATR formalism is based on Bellantoni and Cook [BC92] and Leivant's [Lei95] 
ideas on using "data ramification" to rein in computational complexity. ^j3]puts these ideas 
in a concrete form of BCL, a simple type-level 1 programming formalism, and sketches 
the proofs of three basic results on BCL: (i) that each BCL expression is polynomial size- 
bounded, (ii) that computing the value of a BCL expression is polynomial time-bounded, and 
(iii) each polynomial-time computable function is denoted by some BCL-expression. Most of 
this paper is devoted to showing the analogous results for ATR. §4] discusses how one might 
change BCL into a type-2 programming formalism, some of the problems one encounters, 
and our strategies for dealing with these problems. ATR, our type-2 system, is introduced 
in fj5] along with its type system, typing rules, and basic syntactic properties. The goal of 
§Sj6Hin] is to show (type-2) polynomial size-boundedness for ATR. This is complicated by 
the fact (described in ^ that the naive semantics for ATR permits exponential blow-ups. 
§SCH9] show how to prune back the naive semantics to obtain a setting in which we can 

^Incorporating side-conditions in models is nothing new. A fixed-point combinator has the implicit side- 
condition that its argument is continuous (or at least monotone) so that, by Tarski's fixed-point theorem 
[Win93) ■ we know the result is meaningful. Models of languages with fixed-point combinators typically have 
continuity built-in so the side-condition is always implicit. 
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prove polynomial size-boundedness, which is shown in §101 The goal of § §llH15l is to show 
(type-2) polynomial time-boundedness for ATR. Our notion of the cost of evaluating ATR 
expressions is based on a particular abstract machine (described in i jll.ip that implements 
an ATR-interpreter and the costs we assign to this machine's steps (described in §11.2p . ^ ?T2] 
and i |T3] set up a time-complexity semantics for ATR~ expressions (where ATR^ consists 
of ATR without its recursion construct) and establish that this time-complexity semantics 
is: (i) sound for the abstract machine's cost model (i.e., the semantics provides upper 
bounds on these costs), and (ii) polynomial time-bounded, that is that the time-complexity 
each ATR expression e has a second-order polynomial bound over the time-complexities of 
e's free variables. fJEl shows that ATR can compute each type-2 basic feasible functional. 
i |T71 considers possible extensions of our work. We begin in ^ which sets out some basic 
background definitions with ii ^2.8H2T^ covering the more exotic topics. 

Acknowledgments. Thanks to Susan Older and Bruce Kapron for repeatedly listening to 
the second author describe this work along its evolution. Thanks to Neil Jones and Luke 
Ong for inviting the second author to Oxford for a visit and for some extremely helpful 
comments on an early draft of this paper. Thanks to Syracuse University for hosting the 
first author during September 2005. Thanks also to the anonymous referees of both the 
POPL version of this paper jDR06| and the present paper for many extremely helpful 
comments. Finally many thanks to Peter O'Hearn, Josh Berdine, and the Queen Mary 
theory group for hosting the second author's visit in the Autumn of 2005 and for repeatedly 
raking his poor type-systems over the coals until something reasonably simple and civilized 
survived the ordeals. This work was partially supported by EPSRC grant GR/T25156/01 
and NSF grant CCR-0098198. 

2. Notation and conventions 

2.1. Numbers and strings. We use two representations of the natural numbers: dyadic 
and unary. Each element of N is identified with its dyadic representation over { 0, 1 }, i.e., 
= 6, 1 = 0, 2 = 1, 3 = 00, etc. We freely pun between x G N as a number and 
a 0-1-string. Each element of uj is identified with its unary representation over {0}, i.e., 
= e, 1 = 0, 2 = 00, 3 = 000, etc. The elements of N are used as numeric/string values 
to be computed over. The elements of uj are used as tallies to represent lengths, run times, 
and generally anything that corresponds to a size measurement. Notation: For each natural 
number k, k = 0^. Also x(By = the concatenation of strings x and y. 

2.2. Simple types. Below, b (with and without decorations) ranges over base types and 
B ranges over nonempty sets of base types. The simple types over B are given by: T : : = 
B I (T ^ T). As usual, — > is right associative and unnecessary parentheses are typically 
dropped in type expressions, e.g., {ai — > ((T2 ^ fs)) = — > o"2 ^ cs. A type fii — > • • • — > 
(Tfc — > b is often written as (fii, . . . , cjfc) — > b or, when a = ai = ■ ■ ■ = a^, as {a^) —)■ h. The 
simple product types over B are given by: T ::= B \ T ^ T \ () | T x T, where () is 
the type of the empty product. As usual, = a, cr'^+^ = o"'^ x u, x is left associative, and 
unnecessary parentheses are typically dropped in type expressions. The level of a simple 
(product) type is given by: level(h) = level{{)) = 0; level{a x r) = max{level{a), level{T)); 
and level{a — > r) = max(l + level{a), level{T)). In this paper types are always interpreted 
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over cartesian closed categories; hence, the two types (ui, . . . , cxfc) — > r and cri x • • • x fjfc ^ r 
may be identified. By convention, we identify () — > t with r and A().e with e. 

2.3. Subtyping. Suppose <: is a reflexive partial order on B. Then <: can be extended 
to a reflexive partial order over the simple types over B by closing under: 



We read "a <: r" as ct is a subtype of r; and write r :> cr for cr <: r and cr <: r for [a <: t 
and a t] . 

2.4. Type contexts and judgments. A type context F is a finite (possibly empty) map- 
ping of variables to types; these are usually written as a list: vi:ai, . . . , Vk- cr^. F, T' denotes 
the union of two type contexts with disjoint preimages. F U F' denotes the union of two 
consistent type contexts, that is, F(x) and F'(a;) are equal whenever both are defined. The 
type judgment F hjp e: a asserts that the assignment of type a to expression e follows from 
the type assignments of F under the typing rules for formalism J^. We typically omit the 
subscript in hj^ when is clear from context. 

2.5. Semantic conventions. For a particular semantics S for a formalism J^, is the 
semantic map that takes an ^-syntactic object to its 5-meaning. 5|t] is the collection 
of things named by a type r under S. For a type context F = xi:ti, . . . ,Xn-Tn, 5[F] is 
the set of all finite maps { Xi I > di, . . . , Xn ' On 

}, where ai G 5|ri], . . . ,a„ G 5|r„]; i.e., 
environments. Convention: p (with and without decorations) ranges over environments 
and {} = the empty environment. 5[F h e:r] is the map from 5|F] to 5|r] such that 
5[F h e: r] /9 denotes the element of 5|r] that is the 5- meaning of expression e when e's 
free- variables have the meanings given by p. Conventions: S\e\ is typically written in place 
of 5|F h e: r] since the type judgment is usually understood from context. When e is closed, 
<S[e] is sometimes written in place of 5|e] {}. Also, eo =s ei means 5|eo| = ^Jei]. 

2.6. Syntactic conventions. Substitutions (e.g., e[x : = e']) are always assumed to be 
capture avoiding. Terms of the form (x ei . . . e^) are sometimes written as x(ei, . . . , e^). 

2.7. Call-by-value PCF. The syntax of our version of PCF is given in Figure [H where 
the syntactic categories are: constants (K), raw-expressions (E), variables (X), and type- 
expressions (r) and where a G {0, 1 }. Figure [2] states PCF's typing rules, where op stands 
for any of Cq, Ci, d, to, and ti and where E :: = e,eo,ei,e2, K :: = k, T :: = a,T, and 
X : : = X. For emphasis we may write \x: a.e instead of Xx.e, but the type of x can always 
be inferred from any type judgement in which Xx.e occurs. The intended interpretation of 
N is N (= { 0, 1 }*). The reduction rules are essentially the standard ones for call-by- value 
PCF (see |Plo751 lPie02] ). In particular, the reduction rules for cq, Ci, d, to, ti, down, if- 
then-else, and fix are given in Figure [3l Note that in if-then-else tests, e corresponds to false 
and elements of (N — { e }) correspond to true. In tests, we use x ^ e for syntactic sugar for 
X and use |eo| < \e\\ as syntactic sugar for (down Co(eo) Co(ei))Il An operational semantics 
for PCF is provided by the CEK-machine given in §11.11 We take V (for value) to be a 

^We will see in ^and fJS]wliy down (as opposed to | ■ | < | ■ |) is a primitive. 





(2.1) 
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E ::= K \ {c^ E) \ {d E) \ (ta E) \ (down E E) 

\ X \ [E E) \ (XX.E) I (if E then E else E) \ {r\x E) 

K {0,1}* T : : = the simple types over N 

Figure 1: PCF syntax 

rhe:N ToheoiN Ti h d: N 

Const-I: op-/; — down-/; 



ri-/c:N ri-(ope):N To U Ti h (down eo ei): N 

r, x: (T h e: T Fn h en: cr — > t Fi h ei: ct 

Id-I: ^-/; \ ^ ^-E: — ^- — 

F, x: (T h a;: (T F h (Ax.e): u — > r Fq U Fi h (gq eo): r 

. FpheptN Fihei:N F2 h 63: N ^.^ ^ F h (Aa;.e) : a ^ a 

Fo UFi UF2 h (if eo then ei else 62): N ' F h (fix (Ax.e)) : cr 

Figure 2: The PCF typing rules 

(Caw) — > a®v. (d(a®'i;)) — > v. (d e) — > e. 

Jo, if t; begins with a; Jvo, if |wo| < 

(ta v) — > < . (down Vq vi) — > < ,1 • 

I e, otherwise. I e, otherwise. 

(if vo then wi else 112) — > I ' ' fix (Aa;.e) — > e[a; : = (fix (Aa;.e)]. 

yv2, if uo = e. 

Figure 3: The PCF reduction rules for Ca, d, ta, down, if-then-else, and fix 

conventional denotational semantics for PCF |Win93] . Standard arguments show that our 
operational semantics corresponds to V. 

2.8. Total continuous functionals. Let a and r be simple product types over base type 
N. Inductively define: TC() = TCn = N; TC^xr = TC<^ x TC^; TC^^^ = the 
Kleene/Kreisel total continuous functions from TCo- to TC,-; the TCo-'s together form a 
cartesian closed category TCl This paper is concerned with only the type-level 0, 1, and 
2 portions of TC from which we construct models of our programming formalisms. 

2.9. Total monotone continuous functionals. Let a and r be simple product types over 
base type T (for tally). Inductively define the M.C„ sets and partial orders <a by: MCj = uj 
and <T = the usual ordering on uj; MCq = * and -k <q MCo-xr = MCo- x MC,- and 
(a, 6) <(7XT {o! lb') <^=^ a a' and b <t- b'; and MCo-_»t- = the Kleene/Kreisel total 
continuous functions from MCq- to MC,- that are monotone (w.r.t. <a and <t), and <a~>T 
is the point-wise ordering on MC^^^. (E.g., MCt-.t = {f:uj^uj \ /(O) < /(I) < /(2) < 
■••}.) The MC(j's turn out to form a cartesian closed category MC. As with TC, our 



^For background on the Kleene/Kreisel total continuous functions and TC, see the historical survey of 
Longley [LonOSj and the technical surveys of Normann [Nor99j and Schwichtenberg [Sch96) . 
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P K \ {V P P) \ {+ P P) \ {* P P) \ V \ {P P) \ {XV. P) 

^-=0|1|2|... T the level 0, 1, and 2 simple types over T 

Figure 4: The syntax for second-order polynomials and their standard types 

E h Dn: T S h pi: T 
Const-I: 0-/; — = *, +, V 

Figure 5: The additional typing rules for the second-order polynomials 

concern is with only the type-level 0, 1, and 2 portions of MC from which we construct our 
models of size and time bounds. Convention: We typically omit the subscript in <o- when 
the a is clear from context. 

2.10. Lengths. For € N, let |f | = k, where k is the length of the dyadic representation 
of V (e.g., |110| = 3 = 000). For / G TC(Nft)_N, define |/| G MC(Tfe)^T by: 

[/[(/) = max{|/(i;)|i | < 4, • • • , < 4 } • (2.2) 

(This is Kapron and Cook's |KC96j definition.) For each a, a simple type over N, let 
\a\ = cr[N : = T] (e.g., |N ^ N| = T ^ T). So by the above, \v\ G MC|^| when level{a) < 1 
and V G TCo-. Here is a type-level 2 notion of length that suffices for this paper. For 
7 = (cji, . . . ,cjfc) ^ N of level-2, F G TC^, and h G MC|^^|, . . . ,4 G MC|<^^|, define 

|F|(f) = max{|F(^;)| i l^il <|,,| 4, ... <|.,| 4}. (2.3) 
\F\ as defined above turns out to be an element of MC|^|0 

2.11. Maximums and polynomials. Let vi \/ V2 = max({fi,U2}) and let Vi=i — 
max({ vi, . . . ,Vk}) ioT vi, . . . ,Vk G uj. By convention, max(0) = 0. We allow V as another 
arithmetic operation in polynomials; V binds closer than either multiplication or addition. 
Coefficients in polynomials will always be nonnegative; hence polynomials denote monotone 
nondecreasing functions, i.e., type-level 1 elements of MC. 



2.12. Second-order polynomials. We define the second-order polynomials |KC96j as a 
type-level 2 fragment of the simply typed A-calculus over base type T with arithmetic 
operations V, -|-, and *. Figure H] gives the syntax, where the syntactic categories are: 
constants (K), raw expressions (P), and type expressions (T). We often write V-, -|— , and 
^-expressions in infix form. The typing rules are Id-I, ^-I, and ^-E from Figure [2] together 
with the rules in Figure O Moreover, the only variables allowed are those of of type levels 
and 1. Our semantics C (for length) for second-order polynomials is: >C[(t] = MCo- for 
each a, a simple type over T, and £[1] h p: o"] = the standard definition. The depth a 
second-order polynomial q is the maximal depth of nesting of applications in g's /3-normal 

'''when 7 is type-level 2 and £ G MC|^|, generally {F e TC^ I |F| <|^| 1} fails to be compact in the 
appropriate topology. Consequently, the type-3 analogue of (|2.3[) fails to yield lengths that are total. There 
are alternative notions of type-2 length that avoid this problem; [IKR02) investigates two of these. 
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form, e.g., go{{go{2 * y * gi{y^)) V 6)^) has depth 3. There is a special case for variables 
of higher type: type-level £ variables are assigned depth ^@ For second-order polynomials, 
depth plays something like the role degree does for ordinary polynomials. 

2.13. Time complexity. The CEK machine ( ^11. ip provides an operational semantics for 
PCF as well as for the formalisms BCL and ATR ([|5]). Since this paper concerns the 
evaluation of expressions and the associated costs, we use the CEK machine as our standard 
model of computation and use the CEK cost model ( §11. 2p as our standard notion of time 
complexity. As discussed in §11.21 Schonhage's storage modification machine [SchSO] is 
roughly the standard complexity-theoretic model of computation and cost underlying our 
CEK model. Storage modification machines and Turing machines are polynomially-related 
models of computation [SchSOj . Our CEK machine handles oracles (type-1 functions over 
N) as the values of particular variables in the initial environment for an evaluation. As with 
Kapron and Cook's answer-length cost model for oracle Turing machines |KC96j . part of 
the CEK-cost of querying an oracle includes the length of the answer. 

2.14. Basic feasibility. Suppose r = (ui, . . . , cjfc) ^ N is a simple type over N of level 
1 or 2 and that / G V[r]. (V|-] was introduced in ^2.7i ) We say that / is a basic 
feasible functional (or BFF) when there is a closed, type-r PCF-expression Cf and a second- 
order polynomial function qf such that (i) V|e/] = / and (ii) for all vi E V[o"i], ■ ■ ■ ,Vk € 
V|a"A:], CEK-time(e/, vi, . . . , f jt) < qf{\vi\, . . . ,\vk\), where CEK-time is introduced in 
Definition HH] of §11.21 For level-1 r, this gives us the usual notion of type-1 polynomial-time 
computability. The original definitions and characterizations of the type-2 BFFs [Meh74t 
ICU93t[CK90j were all in terms of programming formalisms. The definition here is based on 
Kapron and Cook's machine-based characterization of the type-2 BFFs |KC96] . 

3. The BCL formalism 

The programming formalisms of this paper are built on work of Bellantoni and Cook 
|BC92| and Leivant [Lei95] . Bellantoni and Cook's paper takes a programming formalism 
for the primitive recursive functions, imposes certain intensionally-motivated constraints, 
and obtains a formalism for the polynomial-time computable functions. To explain these 
constraints and how they rein in computational strength, we sketch both BCL, a simple 
type-1 programming formalism based on Bellantoni and Cook's and Leivant 's ideas, and 
BCL's properties^ This sketch provides an initial framework for this paper's formalisms. 

BCL has the same syntax as PCF ( N2.7P with three changes: (i) fix is replaced with prn 
(for primitive recursion on notation [Cob65j ) that has the reduction rule given by (jl.ip . 
(ii) the only variables allowed are those of base type, and (iii) the type system is altered 
as described below. If we were to stay with the simple types over N and the PCF-typing 
rules (Figure [2] and with prn: (N— >N— >N)^N^N), the resulting formalism would 
compute exactly the primitive recursive functions. Instead we modify the types and typing 
as follows. N is replaced with two base types, Nnorm {normal values) and Nsafe (safe values), 
subtype ordered Nnorm <: Nsafe- The BCL types are just the type-level and 1 simple types 

^Since, for example, for /: T ^ T, / Xx.f{x) and depth{Xx . f (x)) — 1. 

^BCL is much closer to Leivant 's formalism | Lei95] . which uses a ramified type system, than Bellantoni 
and Cook's, which does not use a conventional type system. 
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E : : = ... I (prn E) T ::= the level and 1 types over Nnorm and Nsafe 

Figure 6: BCL syntax 

rhe:cr , 

Zero-I: Subsumption: (c 

I M r h e: T 



r h e: Nnorm . The: N„orm -> N 



-/ ; — prn -/. 



safe ^ '^safe 



rh(de): Nnorm T h (pm e) : Nno, 

Figure 7: Additional BCL typing rules 



*lsafe 



cat: Nnorm ^ Ngafc ^ Ngafc = // cflt w X w ® X . So, \cat w x\ ^ \w\ + 

Aw, a;, let /: Nnorm Nsafe Nsafo = 

Ay, z. if to(2/) then Zq{z) else if ti(y) then Ci(z) else a; 
in prn / w 

\'w\ many 



dup: Nnorm ^ Nnorm ^ Ngafo = // W X = X © ■ • ■ ® X. So, \dup W x\ ^ \w\ ■ \x\. 

\w,x. let g: Nnorm Nsafo ^ Ngafc ^ Xy , z . if y 7^ e then (cat a; z) else e 
in prn g w 

Figure 8: Two sample BCL programs 

over Nnorm and Ngafe- Both base types have intended interpretation N. The point of the 
two base types is to separate the roles of N-values: a Nnorm-value can be used to drive a 
recursion, but cannot be the result of a recursion, whereas a Ngafe-value can be the result 
of a recursion, but cannot be used to drive a recursion. These intentions are enforced by 
the BCL typing rules, consisting of: ID-I, — >-/, and -^-E from Figure [21 Const-I, Cq-I, c-^-I, 
d-I, to-/, ti-/, down-/, and //-/ also from Figure [2] where each N is changed to Nsafe; and 
the rules in Figure El {Zero-I and d-J' are needed to make the prn reduction rules type- 
correct.) Figure m contains two sarnple BCL programs. For the sake of readability, we use 
the let construct as syntactic sugarPi 

Propositions [H [2l and [3l state the key computational limitations and capabilities of 
BCL. In the following x: Nnorm abbreviates xi: Nnorm, • • • , Nnorm and y: Ngafc abbreviates 
yi- Nsafe, ■ ■ ■ ,yn- Nsafo- Recall from ^2. 131 that our standard notion of time complexity is the 
time cost model of the CEK-machine (Definition 08^ a)). 

Proposition 1 (BCL polynomial size-boundedness). Suppose x: Nnorm, y: Nsafe l~ e: b. 

(a) If h = Nnorm; then for all values of x, y, \e\ < VS=i l^^il- 

(b) Ifh= Nsafe; then there is a polynomial p over over |xi|, . . . , \xm\ such that, for all 
values of X, y, \e\ < p + Vj=i Ivj \ ■ 

Proposition [Us proof is an induction on e's syntactic structure, where the prn-case is 
the crux of the argument. Here is a sketch of a mild simplification of that case. (This 
sketch is the model for several key subsequent arguments.) Suppose e = prn e' x, where 

Xq: Nnorm, Nnorm, VO- Ka.ie,y- Nsafe ^ W Xq yo): Nsafe and X £ { Xi, . . . , Xm} ■ AlsO SUppOSe 
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Where (let x = e' in e) = e[x : — e']. This permits naming defined functions. 
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that, for all values of xo, • • • ,Xm,yo, ■■■,yn, \e' xq yo\ < p'{\xo\) + Vj=o IVjl where p' is a 
polynomial over |xo| (explicitly) and |xi|, . . . , \xm\ (implicitly). Fix the values of xi, . . . , yn, 
where in particular x has the value ai . . . for ai, . . . , a^. G { 0, 1 }. We determine bounds 
for |prn e' e|, |prn e' a^l, |prn e' Rk-iSikl, ■ ■ ■ , Iprn e' ai . . .a^l in turn. First, |prn e' e| = 
|e'ee| < ^'(0) + V"=i |%|. Next, 

Iprne'afel = [e' a^ (prn e' e)j < p'(l) + |prn e' e| V V"=i ll/il < 

p'(i) + (p'(o) + V-=ily.l)vV-=il%l < p'(o)+p'(i) + V-=ily,l- 

Continuing, we end up with |prn e' x\ < p'{0) + p'(l) + • • • + p'{k) + Vj=i \yj\ ^ (kl + i) * 
p'{\x\) + Vj=i lyjl- So, p = {\x\ + 1) *p'(|x|) suffices for this case. 

Proposition 2 (BCL polynomial time-boundedness). Given x: Nnormiy: Nsafe l~ e: (bi, . . . , 
b^) h, there is a polynomial q over over \wi\, . . . , \wi\, |xi|, . . . , \xm\, . . . , such 
that, for all values of wi, . . . , yn, q bounds the CEK-cost of evaluating {e wi ... we). 

Proposition's proof rests on three observations: (i) evaluating (prn e e') takes \e'\- 
many (top-level) recursions, (ii) by the first observation and the details of CEK costs, the 
time-cost of a CEK evaluation of a BCL expression can be bounded by a polynomial over 
the lengths of base type values involved, and (iii) Proposition [1] provides polynomial bounds 
on all these lengths. Proposition [2] thus follows through a straightforward induction on the 
syntactic structure of e. Proposition's proof is mostly an exercise in programming. 

Proposition 3 (BCL polynomial-time completeness). For each polynomial-time computable 
f G ((N^) ^ N), there is an h ef. (Korm) ^ ^safe such that V[e/] = /. 

BCL is <:-predicative in the sense that no information about a Nsafe-value can ever 
make its way into a Nnorm-value. For example: 

Proposition 4. Suppose h e: ( N norm; N safe) — > Nnorm- Then e =a/3 Xw,x.e' with e' = e or 
else e' = {d^''^ w) for some k >0, where {d^'^^ w) = w and (d('^'+^) w) = (d (d'^'^^ w)). 

BCL's < :-predicativity plays a key role in proving the polynomial size-bounds of Propo- 
sition [H but plays no direct (helpful) role in the other proofs. 

4. Building a better BCL 

Our definition of ATR in the next section can be thought of as building an extension of 
BCL that: (i) computes the type-2 BFFs, (ii) replaces prn with something closer to fix, and 
(iii) admits reasonably direct complexity theoretic analyses. This section motivates some 
of the differences between BCL and ATR. 

Types and depth. We want to extend BCL's type system to allow definitions of functions 
as such Fo = A/ G N ^ N, X G N./(/(x)), a basic feasible functional. A key question then 
is how to assign types to functional parameters such as / above. Under /: Nnorm — *■ Nsafe, 
Fq fails to have a well-typed definition. Under any of /: N 

norm ' '''norm) /: Nsafe Nsafe, 

and /: Ngafe Nnormi -^0 has a well-typed definition, but then so does Fi = A/ G N ^ 
N, X G N./^l^l^(x) which is not basic feasible. Thus some nontrivial modification of the 
BCL types seems necessary for any extension to type-level 2. 
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down-/'; 



To \~ eo: Ngafo Ti h ei: N 
To U Ti h (down eo ei): 



I norm 



norm 



//-/'; 



norm h 62: N 

To U Ti U r2 h (if eo then ei else e2): Nno 



norm 



norm 



Figure 9: Additional rules for BCL' 



We sketch a naive extension that uses of an informal notion of the depth of an expression 
(based on second-order polynomial depth, see §2.12p . Let the naive depth of an expression 
(in normal form) be the depth of nesting of applications of type-level 1 variables. For 
example, given /:N — s- N — > N, then /(co(/(co(x), y)), ci(d(y))) has naive depth 2. We 
can regard the values of x and y as (depth-0) inputs and the values of Co(x) and d(y) as 
the results of polynomial-time computations over those inputs. Taking the type-level 1 
variables as representing oracles, the value of /(co(x), y) can then be regarded as a depth-1 
input (that is an input that is in response to a depth-0 query); hence, Co(/(co(x), y)) is 
the result of a polynomial-time computation over a depth-1 input. Similarly, the value of 
/(co(/(co(x), y)), Ci(d(y))) can be regarded as a depth-2 input. Thus, our naive extension 
amounts to having, for each d £ cv, depth-d versions of both Nnorm and Ngafc and treating all 
arrow types as "depth polymorphic" so, for instance, the type of / as above indicates that 
/ takes depth-d safe values to depth-((i -|- 1) normal values, for each d G lo. This permits a 
well- typed definition for Fq, but not for Fi. 

The naivete of the above is shown by another example. Let 

F2 = A/ e N ^ N, y G N.[c/(l^l)(y), where g = Xw gN. {f{w) mod (y + l))]. (4.1) 

F2 is basic feasible, \F2{f,y)\ < \y\, but it is reasonable to think of F2{f,y) having un- 
bounded naive depth. 

Our solution to this problem is to use a more relaxed version of <:-predictivity than 
that of BCL. To explain this let us consider BCL', which is the result of adding rules of 
Figure O to BCL. (The rewrite rule for down is given in Figure O) These typing rules allow 
information about Ngafe values to flow into Nnorm values, but only in very controlled ways. 
In down-/', the controlling condition is that the length of this Ngafe information is bounded 
by the length of some prior Nnorm value. In //-/', essentially only one bit of information 
about a Ngafe value is allowed to influence the Nnorm value of the expression. Because of 
these controlling conditions, the proofs of Propositions [H El and [3] go through for BCL' with 
only minor changes, but in place of Proposition H] we have: 

Proposition 5. {V[e] I hgf^L' e: Nnorm Ngafe — * Nnorm} = the set of polynomial-time 
computable / G N ^ N — > N such that \ f{x,y)\ < \x\ for all x and y. 

Each BCL' type 7 has a quantitative meaning in the sense that every element of { V[e] I 
F l~BCL' ^- 7 } a polynomial size-bound of a particular form. ATR has rules analogous 
to //-/' and down-/' and, consequently, functions such as F2 have well-typed definitions. 
Moreover, each ATR type 7 has a quantitative meaning in the sense that {V[e] I Hatr 
6:7}= the set of all ATR-computable functions having second-order polynomial size-bounds 
of a form dictated by 7. In particular, for each 7, a € u; can be read off such that all 
the bounding polynomials for type-7 objects can be of depth < d^. This is the (non-naive) 
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connection of ATR's type-system to the notion of depth. The above glosses over the issue 
of the "depth polymorphic" higher types which are discussed in fj5l 



Truncated fixed points. For PCF, fix is thought as expressing general recursion. It 
would be ever so convenient if one could replace fix with some higher-type polynomial-time 
construct and obtain "the" feasible version of PCF in which all (and only) the polynomial- 
time recursion schemes are expressible. However, because of some basic limitations of 
subrecursive programming formalisms [Mar 721 Roy87| , it is unlikely that there is any finite 
collection of constructs through which one can express all and only such recursion schemes. 

Our goals are thus more modest. We make use of the programming construct crec, 
for clocked recursion. The crec construct is a descendant of Cobham's |Cob65j bounded 
recursion on notation and not a true fixed-point constructor. The reduction rule for crec is: 

crec a (Xrf.e) — > Ax. (if \a\ < |xi| then (e'x) else e) (4.2) 

with e' = e[f := (crec (0® a) (Xrf.e))], 

where a is a constant and x = xi, . . . , x^ is a sequence of variables. Roughly, \a\ acts as the 
tally of the number of recursions thus far and a is the result of a tick of the clock. The 
value of xi is the program's estimate of the total number of recursions it needs to do its job. 
Typing constraints will make sure that each crec-recursion terminates after polynomially- 
many steps. Without these constraints, crec is essentially equivalent to fix. Clocking the 
fixed point process is a strong restriction. However, results on clocked programming systems 
( |RC94l Chapter 4]) suggest that clocking, whether explicit or implicit, is needed to produce 
programs for which one can determine explicit run-time bounds. 

Along with clocking, we impose two other restrictions on recursions. 



One use. In any expression of the form (crec a (Xrf.e)), we require that / has at most 
one use in e. Operationally this means that, in any possible evaluation of e, at most one 
application of / takes place. One consequence of this restriction is that no free occurrence 
of / is allowed within any inner crec expression. (Even if / occurs but once in an inner crec, 
the presumption is that / may be used many times.) Affine typing constraints enforce this 
one-use restriction. Note that prn is a one-use form of recursion. 

The motivation for the one-use restriction stems from the recurrence equations that 
come out of time-complexity analyses of recursions. Under the one-use restriction, bounds 
on the cost of m steps of a crec recursion are provided by recurrences of the form T(m, n) < 
T(m — \,fi) + q(n), where n represents the other parameters and g is a (second-order) 
polynomial. Such T's grow polynomially in m. Thus, a polynomial bound on the depth of 
a crec recursion implies a polynomial bound on the recursion's total cost. If, say, two uses 
were allowed, the recurrences would be of the form T(m,n) < 2 • T(m — l,n) + q(n) and 
such T's can grow exponentially in m. 



Tail recursions. We restrict crec terms to expressing just tail recursions. Terminology: 
The tail terms of an expression e consist of: (i) e itself, (ii) e', when (Ax.e') is a tail term, 
and (iii) ei and 62, when (if cq then ei else 62) is a tail term. A tail call in e is a tail term 
of the form (/ ei ... e^). Informally, a tail recursive definition is a function definition in 
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E ::= ... I {crec K (XrX.E)) L ::= (Do)* | o(no)* 

To : : = Ni T : : = the level 0, 1, and 2 simple types over To 

Figure 10: ATR syntax 



which every recursive cah is a tail call. Formally, we say that (crec a (Xr f .e)) expresses a 
tail recursion when each occurrence of / in e is as the head of a tail call in ern 

Simplicity is the foremost motivation for the restriction to tail recursions as they are 
easy to work with from both programming and complexity-theoretic standpoints. Addition- 
ally, tail recursion is a well-studied and widely-used universal form of recursion: there are 
continuation passing style translations of many program constructs into pure tail-recursive 
programs. (Reynolds |Rey93| provides a nice historical introduction.) Understanding the 
complexity theoretic properties of tail-recursive programs should lead to an understanding 
of a much more general set of programs. 

5. Affine tiered recursion 

Syntax. ATR (for affine tiered recursion) has the same syntax as PCF with three changes: 
(i) fix is replaced with crec as discussed in the previous section, (ii) the only variables allowed 
are those of type- levels and 1, and (iii) the type system is altered as described below. 

Types. The ATR types consist of labeled base types (Tq from Figure fTOl) and the level 1 
and 2 simple types over these base types. We first consider labels (L from Figure [TOll . 

Labels. Labels are strings of alternating o's and D's in which the rightmost symbol of a 
nonempty label is always o. A label . . . ao can be thought of as describing program- 
oracle conversations: each symbol a^ represents an action (□ = an oracle action, o = a 
program action) with the ordering in time being ao through ak- Terminology: e = the 
empty label, i < i' means label £ is a suffix of label i' , and iy i' is the <-maximum of i and 
i' . Also let succ{i) = the successor of i in the <-ordering, depth{i) = the number of D's in 
i, and, for each d £ lv, = (□o)'^ and = o(no)'^. Note: depth{a^) = depth{od) = d. 

Labeled base types. The ATR base types are all of the form N^, where £ is a label. These base 
types are subtype-ordered by: <: N^/ <^=^ i < i' . We thus have the linear ordering: 
Ne <: No <: Nno <: Nodo <:•••, or equivalently, <: Nop <: Nn^ <: N^i <: • • • . Define 
depth{Hi) = depth{l). Nn^ and No^ are the depth-d analogues of the BCL'-types Nnorm and 
Nsafe; respectively. These types can be interpreted as follows. 

• A Nj-value is an ordinary base- type input or else is bounded by some prior (i.e., 
previously computed) N^-value. 

• A No^-value is the result of a (type-2) polynomial-time computation over Nn_^-values 
or else is bounded by some prior N^^-value. 



Because of the one-use restriction, this simple definition of tail recursion suffices for this paper. For 
details on the more general notion see [Rey98[ [FWHOl) . 
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• A Nn^^^-value is the answer to a query made to a type-1 input on N^^-values or else 
is bounded by some prior Nn^^^ -value. 
The Nn^ types are called oracular and the N^^'s are called computational. 

The ATR arrow types. These are just the level 1 and 2 simple types over the N^'s. The sub- 
type relation <: is extended to these arrow types as in (|2.ip . Terminology: Let shape{a) = 
the simple type over N resulting from erasing all the labels. The tail of a type is given by: 

toi/(N^) = N^. tail{(T — > r) = tail{T). 

Let depth{a) = depth{tail{a)) . When tail{a) is oracular, we also call a oracular and let 
side{a) = □. When tail{a) is computational, we call a computational and let side{a) = o. 

Definition 6 (Predicative, impredicative, flat, and strict types). An ATR type 7 is pred- 
icative when 7 is a base type or when 7 = (cri, . . . , ak) — and tail{ai) <: for each i. 
A type is impredicative when it fails to be predicative. An ATR type (o"i, . . . , ak) — > is 
flat when tail{ai) = for some i. A type is strict when it fails to be flat. 

Exam,ples: — > No is predicative whereas No is impredicative, and both are 

strict. Both No No and No — > Nno — > No are flat, but the first is predicative and the 
second impredicative. Recursive definitions tend to involve flat types. 

Example [23] below illustrates that values of both impredicative and flat types require 
special restrictions in any sensible semantics of ATR. Our semantic restrictions for these 
types are made precise in J}7]and J}9] below. Here we give a quick sketch of these restrictions 
as they figure in definition of oc, the shifts-to relation, used in the typing rules. For each 
impredicative type (a) — > N^: if h /:(<?) — > N^, then the value of |/(x)| is essentially 
independent of the values of the |xi|'s with tail{ai) :> N^. For each flat type (a) N^ (that 
for simplicity here we further restrict to be a level-1 computational type): if h /: (cj) N^, 
then |/(x)| < p + V{l^«l ' tail{ai) = N^}, where p is a second-order polynomial over 
elements of { |xjj 1 tail{ai) <: N^ }. (Compare this to the bound of Proposition [T]^b).) 

Typing rules. The ATR- typing rules are given in Figure [TTl The rules Zero-I, Const- 
I, Int-Id-I, Subsumption, op-/, ^-/, and -^-E are essentially lifts from BCL (with one 
subtlety regarding -^-E discussed below). The if-/ and down-/ rules were motivated in SjH 
The remaining three rules Aff-Id-I and crec-/ (that relate to recursions and the split type 
contexts) and Shift (that coerces types) require some discussion. 

Affinely restricted variables and crec. Each ATR type judgment is of the form T; A h 6:7 
where each type context is separated into two parts: a intuitionistic zone (T) and an affine 
zone (A). T and A are simply finite maps (with disjoint preimages) from variables to ATR- 
types. By convention, "_" denotes an empty zone. Also by convention we shall restrict our 
attention to ATR type judgments in which each affine zone consists of at most one type 
assignment. (See Scholium[71^a).) In reading the rules of Figure [TH think of a variable in an 
affine zone as destined to be the recursor variable in some crec expression. An intuitionistic 
zone can be thought of as assigning types to each of the mundane variables. 

Terminology: A variable / is said to be affinely restricted in T; A h e: cr if and only if 
/ is assigned a type by A or is A^-abstracted over in e. 
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Zero-I: ■ Const-I: 



r;Ahe:N, T; A h A:: No 



Int-Id-I: Aff-Id-I. 



r, x: a; A h x: a F; x: 7 h a;: 7 

r;Ahe:CT ^ ^ T; A h e: cr ^ 

Shift: [a oc r) Subsumption: (cr <: r) 

F; A h e: T F; A h e: r 

F; A he: No, ^ , F;Aoheo:N,„ F;Aihei:N,, 

op-V; down-y.- 

F; A h (op e): N^, F; Aq, Ai h (down eo ei): N^, 

^ F,a;:a;Ahe:r F;Aheo:iT— >t F;_|-ei:o' 
^' ■ F; A h (Ax.e):(T ^ t F; A h (eo ei):r 

F;_heo:Nf F;Aihei:Nf, F;A2he2:N^, 



if-J; 



F; Ai U A2 h (if eo then ei else 62): 



where: 



hX:No F;/:7he:7 , , ^, 

crec-/; ; ; (7 e 7?. and TailPosif ,e)) 

F;_h(crecX(A,/.e)):7 ' 



7?. =^ { (bi, b2, . . . , bfc) — > b I bi and each b^ <: bi is oracular } . 
TailPos{f,e) " [Each occurrence of / in e is as the head of a tail call ] . 



Figure 11: ATR typing rules 



The use of split type contexts is adapted from Barber and Plotkin's DILL |Bar96l 
IBP97] a linear typing scheme that permits a direct description of the intuitionistic 
arrow of the conventional simple types. The key rule borrowed from DILL is -^-E which 
forbids free occurrences of affinely restricted variables in the operand position of any in- 
tuitionistic application. This precludes the typing of crec-expressions containing subterms 
such as Xrf.{Xg.{g{ge))f) =fi Kf-{f{f^)) where / is used multiple times. 

The crec-/ rule forbids any free occurrence of an affinely restricted variable; if such 
a free occurrence was allowed, it could be used any number of times through the crec- 
recursion. The crec-/ rule requires that the recursor variable have a type 7 € 7^ which 
in turn becomes the type of the crec-expression. The restrictions in 7^'s definition (in 
Figure [TT]) are a more elaborate version of the typing restrictions for prn-expressions in 
BCL. When 7 = (Nn^, b2, . . . , b^) — > b € 7^, it turns out that 7^'s restrictions limit a type- 
7 crec-expression to at most p-many recursions, where p is some fixed, depth-d second-order 
polynomial (Theorem |43]) . Excluding N^, . . . , N^^.^ in 7 forbids depth 0, . . . , d— 1 analogues 
of Nsafc-parameters from figuring in the recursion, and consequently, the recursion cannot 
accumulate information that could change the value of p unboundedly. 

Scholium 7. 

(a) Judgments with with multiple type assignments in their affine zone are derivable. 
However, such a judgment is a dead end in the sense that crec-/, the only means to eliminate 
an affine-zone variable, requires a singleton affine zone. 
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(b) ATR has no explicit — o-types. Implicitly, a {Xrf .e) subexpression is of type 7^7 
and crec-/ plays roles of both -o-I and -^-E. ATR's very restricted use of affinity permits 
this ^-bypass. 

(c) As mentioned in ^ the restriction to tail recursions in crec-/ is in the interest of 
simplicity. In a follow-up to the present paper, we show how to relax this restriction to allow 
a broader range of affine recursions in ATR programs [DR07j . Dealing with this broader 
range of recursions turns out to require nontrivial extensions of the techniques of ^ ^12HT5] 
below. 

Shift. The Shift rule covariantly coerces the type of a term to be deeper. Before stating 
the definition of the shifts-to relation (oc), we first consider the simple case of shifting 
types of shape N ^ N. The core idea is simply: (N^j — > N^^) oc (N^/ — > N^/) when 
depth{Nii^) — depth^Nig) = depth{N£0 — depth^N^-^) > 0. The motivation for this is that if p 
and q are second-order polynomials of depths dp and dg, respectively, and x is a base- type 
variable appearing in p that is treated as representing a depth-d^; value (with dx < dg), then 
p[x : = q] is, in the worst case, of depth dp + {dg — dx)- The full story for shifting level-1 types 
has to account of arbitrary arities, the sides of the component types, and impredicative and 
flat types, but even so it is still not too involved. Shifting level-2 types involves a new set 
of issues that we discuss after dealing with the level-1 case. Recall that max(0) = 0. 

Definition 8 (oc, the shifts-to relation). 

(a) We inductively define oc by: Nn^ oc Nn^, and No^ oc N^^, when d < d'; and (cti — > 
> N^o) oc (cr'^ ^ ^ CTfc ^ ^e'g) when 

(i) oc N£/^, cji (X a[, . . . , ak (X a'^, 

(ii) tail{ai) = N^^ implies tail{a^) = N^^ for i = 1, . . . ,k, and 

(iii) depth{Hf,,^) - depth{Neo) > D{{a) N<>o,a')- 

(b) D{{a) — > N^g, a') max{ depth{a[) — depth{ai) 1 cjj <: N^^ }, for cji oc a'l, . . . , (x 
a'^ where each ctj and a'- is a base type. (See Definition [9] for the general definition of D.) 

For base types: oc N^/ if and only if depth{N£) < depth{N£') and side{N£) = side{Nif). 
It follows from this and condition (i) that no type (or component of a type) can change 
sides as a result of a shift. 

For level-1 types: Condition (i) says that the component types on the right are either 
the same as or else deeper versions of the corresponding types on the left. Condition (ii) 
preserves fiatness (which is critical in level-2 shifting). Condition (iii) is just the core idea 
stated above. Note that the max in Definition [8)[|b) includes only types <: N^g. This is 
because as remarked above, if cii :> N^^, then the i-th argument has essentially no effect on 
the size of the N*/ -result. 

Example: Consider the problem: r;_ h /(/(x)):?, where F = /: No ^ Nno, x: No. 
Using -^-E and Subsumption, we derive F;_ h /(x): Nodo- Using Shift we derive r;_ h 
/: NoDo Ndodo- Using ^-E again we obtain F;_ h /(/(x)): Ndodo as desired. 

Now let us consider shifting level-2 types. Suppose we want to shift (Ndq Nn^) Nog 
to some type of the form (Nn^, Noj) — > Nn^. What should the value of d be? Suppose 
/: Ndq — j- Nd^. Without using subsumption, building a term of type N^g from / requires 
nesting applications of / (using type-1 shifts). The longest chain of such depth-increasing 
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undefined, if (N^^ , . . . , N^^^) Nig is flat or £o > £; 
< Nil ill , otlierwise, wliere £' = max{ £i 1 £i < } and £" is tlie 

suffix of £ following the leftmost occurrence of £o in £. 

Figure 12: The definition of undo 



applications is When the argument type Nn^ Nn^ is shifted to Ndj, each 

application of this argument now ups the depth by an additional +1. So, the largest depth 
that can result from the change is(i = 3 + 3- l = 6. When shifting (<?) — s- to some 
((?') — > Nil with each cjj and a- a level-1 type, to determine i' we must: (a) determine all 
the ways a value could be built by a chain of depth-increasing applications of arguments 
of the types a, (b) for each of these ways, figure the increase in the depth of the N^-value 
when each cjj-argument is replaced by its a- version, and (c) compute the maximum of 
these increases. To help in this, we introduce undo in Figure [T2l Example: For d > 0, 
undo{HuQ — > Nn^,Nn^) = undo{Nn(, Nnj,No^) = Nn^_^. To compute undo{T,Ni), one 
determines if a type-r argument could be used in a chain of depth-increasing applications 
that build a value, and if so, one figures (in terms of i) where a leftmost application 
of such an argument could occur, and returns the <:-largest type of the arguments of 
this application. (It is straightforward to prove that undo behaves as claimed.) N.B. If 
undo('y, N^) is defined, then undo{'y, N^) <: N^. We now define: 

Definition 9 {D for level-2 types). Suppose ai (x a[, . . . ,ak oc a'j^. 

(a) D{{a) —>■ N^,(t') =^ maK.{{ depth{a[) — depth{ai) + D(^{a) undo{ai,N£),a') I 
undo{ai, N^) is defined}), when each fjj and o"- is level-1. 

(b) D{{a) Ni,a') = D{{a)o N^, (a')o)+-D((a)i ^ N^,(ct')i)> when the cTi's contain 
both level-0 and level-1 types and where (7)^ denotes the subsequence of level-i types of 7. 

The recursion of Definition [D^a) determines maximum increase in depth as outlined 
above. Since applications amount to simultaneous substitutions, the contributions of the 
level-0 and level-1 argument shifts are independent. Thus Definition [9|^b)'s formula suffices 
for the general case. Example: See the discussion below of feat from Figure [T3j 

Now let us consider the reason behind condition (ii) in Definition [8||a) . A term of a flat 
type can be used an arbitrary number of times in constructing a value. Consequently, if 
Definition [8l^a) had allowed flat level-1 types (which increase the depth by 0) to be shifted 
to strict level-1 types (which increase the depth by a positive amount), then it would have 
been impossible to bound the depth increase of shifts involving arguments of flat types. 

Some examples. Figure [131 contains five sample programs. These examples use the syn- 
tactic sugar of the let and letrec constructsEl The first three programs and their typing are 

-'^'^Note tliat the outer two of these three apphcations must involve shifting the type of the argument. 
Also, informally, in /(/(/(down(/(/(/(/(e)))), e)))) only the outer three apphcations of / count as a chain 
of depth-increasing applications because of the drop in depth caused by the down. Formally, no shadowed 
(Definition I29|) application can be in a depth-increasing chain. 

^^Where (letrec / = e' in e) =' e[f := (crec (A, /.e'))] and let is as in footnote [TO] 
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reverse: ^ = // reverse ai . . . — . . . ai. 

\w. letrec /: ^ ^ N« ^ = 

A6, X, r. if (to x) then f b {d x) (co r) 
else if (ti x) then f b {d x) (ci r) 
else r 

in / w w e 

prn: (No ^ ^ N^) ^ = // See fO) . 

Ae, y. letrec /: -> No -> N« ^ ^ = 

A&, X, z, r. if (to x) then f b {d x) (co (e (co z) r) 
else if (ti x) then / 6 (d a;) (ci z) (e (ci z) r) 
else r 

in / y (reverse y) e (e e e) 

cat: Ne ^ No ^ No = // cat w x = w (S x as before. 

Xw, X. let /: No ^ No ^ No = 

Xy, z. if (to y) then (co z) else if (ti y) then (ci z) else x 
in prn f w 

feat: (No Nno) N^ ^ Nooo = // feat f ai . . . ak = [f ai . . . Uk) ® 

A/, x. let e:No ^ Nono ^ NoDo = // (/ a2 . . . flfc) ® ■ • ■ ®(/ Ofe) ©(/ e) 

Ay, r.(mt (/ y) r) 
in prn e a; 



/?ndA;: (No ^ Nno) ^ N, ^ N^ = // See fO) 

Xf,x. letrec ft.: Nno ^ Nj ^ N^ = // Invariant: k < len{m) and \m\ < |/|(|x|) 
Am, k. if k == X then k 

else if fc (lenm) then fc 
else h {max (/ (fc + 1)) rn) (down (fc + 1) x) 
in h{f e) e 

Figure 13: ATR versions of reverse, prn, cat, feat, and findk 



all straightforward. For the typing of feat, caVs type is shifted to Nn^ Noj — > N^^ and 
prn's type is shifted to (Nog No^ — > No^) ^ Nn„ No^. The final program computes 

A/ G (N ^ N) X € N /(^^ < ^) = maxi<fc /en(/(i))] , if such a A: exists; 

[x, otherwise; 

where len{z) = the dyadic representation of the length of z. This is a surprising and 
subtle example of a BFF due to Kapron |Kap91| and was a key example that lead to the 
Kapron-Cook Theorem |KC96j . In findk, we assume we have: a type-(Nn^ Nn^ Nn^) 
definition of {x,y) ^ [1, ii x = y; e, otherwise], a type-(Nn^ Ndi) definition of len, a 
type-(Nnj — > Nn^ Nn^) definition of max, and a type-(Noo — > Noq) definition of x i— > x + 
Filling in these missing definitions is a straightforward exercise. A more challenging exercise 
is to define ()5.ip via prn's. 



Semantics. The CEK machine of ( ^11. ip provides an operational semantics of ATR. For a 
denotational semantics we provisionally take the obvious modification of PCF's V-semantics. 
(V was introduced in ^2.7[ ) Example [23] illustrates some inherent difficulties with V as a 
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semantics for ATR. We shall circumvent these difficulties by some selective pruning of V in 
gZland ga 

Some syntactic properties. 

Definition 10 (Use). If variable x fails to occur free in expression e, then uses{x,e) = 0; 
otherwise uses{x, e) is given by: 

uses{x,x) = 1. uses{x, {op eo)) = uses{x, {Xy .eo)) = uses{x, eo). 
uses{x, (down eo ei)) = uses{x, (eo ei)) = uses{x, eo) + uses{x, ei). 
uses{x,{\f eo then ei else 62)) = uses{x,eo) + uses{x,ei) V uses{x,e2)- 
uses{x, (crec K (Ar/.eo))) = t (= unbounded). 
By convention, a < f and a + t = t + a = aVt = tVa = ffor each a G N. 
Lemma 11 (One-use). // F; /: 7 h e: 7 or F; _ h (crec A; (A^/.e)): 7, then uses{f,e) < 1. 
Lemma 12 (Subject reduction). IfT;A\-e:j and e (3r]-reduces to e' , then F; A h e':7. 

Lemma 13 (Unique typing of subterms). i/F; A h e: o", then each occurrence of a suhterm 
in e has a uniquely assignable type that is consistent with F; A h e: a. 

Lemma 14. F; A h Xx.e: (a) if and only if F, x:a; A\- e: N^. 

Lemma [TT] follows from a straightforward structural induction on judgment derivations. 
The proof of Lemma [T2] is an adaptation the argument for |Pie021 Theorem 15.3.4]. The 
proof of Lemma [T3] is also an adaptation of standard arguments. We make frequent, implicit 
use of Lemma [13] below. Lemma [l3] is a reality check on the definition of oc. The proof of 
this is a completely standard induction on derivations except in the case where the last rule 
used in deriving F; A h Xx.e: (a) ^ is Shift. The argument for this case is an induction 
on the structure of e, where application is the key subcase. There one simply checks that 
our definition of cx correctly calculates upper bounds on the increase in depth. 

ATR's computational limitations and capabilities. The major goals of the rest of the 
paper are to establish type-level 2 analogues of Propositions [H O and [3] for ATR. We shall 
first prove Theorem 1431 a polynomial size-boundedness result for ATR. The groundwork for 
this result will be the investigation of second-order size-bounds in the next few sections. 

Remark 15 (Related work). As noted in gH ramified types based on Bellantoni and Cook's 
ideas, higher types, and linear types are common features of work on implicit complexity (see 
Hofmann's survey [HofOOj ). but most of that work has focused on guaranteeing complexity of 
type-level 1 programs. The ATR type system is roughly a refinement of the type systems of 
[IKROlj IIKR02] which were constructed to help study higher-type complexity classes. Also, 
the type systems of this paper and [IKROl^ IIKR0 2] were greatly influenced by Leivant's 
elegant ramifled type systems |Lei95t [Lei94| . We note that in [Lei03j Leivant proposes a 
formalism that uses intersection types to address the same problems dealt with by our Shift 
rule (e.g., how to type /(/(x))). 



20 



N. DANNER AND J. S. ROYER 



Zero-I: Const-I: Suhsumption: (cr <: t) 

EhOiTe Ehfc:To S h p: r ^ - ^ 

Ehp:cr , , Snhpo^Tf EihpitT^ 
S-Zizi^; , (acxr) V-/; 



ShpiT So U El h (V po Pi): 

+-/; *-/; 

El U 112 I- (+ pi P2): To^ El U E2 h (* pi P2): To^ 

Figure 14: Additional typing rules for the second-order polynomials under the size types 



Remark 16 (Pragmatic predicativity). Many of the formalisms based on Bellantoni and 
Cook's ideas are predicative in the sense of Proposition 0] — no information about "safe 
values" can influence "normal values." Two principles followed in this paper are: (i) The 
ramification of data (e.g., the normal/safe distinction) and the complexity it adds to the 
type system is something we will put up with to control the size of values; (ii) however, if 
there is a good reason to cut through the ramification while still controlling sizes, then we 
will happily do so. As a consequence of (i), our type system for second-order polynomial 
size-bounds is strictly predicative. As a consequence of (ii), ATR's type system includes the 
if-/ and down-/ rules and impredicative types to handle examples like F2 of ()4.ip . 

There is a price for the down construct — its use tends to complicate correctness argu- 
ments for algorithms. For example, consider the subexpression (down [k + 1) x) in the 
ATR-program for findk in Figure [131 The purpose of the down is to guarantee to the type 
system that the subexpression's value is small (e.g., < \x\). The correctness of the algo- 
rithm depends critically on the easy observation that, in any run of the program, the value 
of the subexpression will always be k -\- \. This is common in expressing algorithms in 
ATR — one knows that a value is small, but an application of down is needed to convince the 
type-system of this. As a result the correctness proof needs a lemma showing that original 
value is indeed small and the down expression does not change the value. Thus our use of 
down and (mild) impredicativity is a compromise between the simplicity, but restrictiveness, 
of predicative systems and the richer, but more complex, type systems that permit finer 
reasoning about size El 



6. Size bounds 



6.1. The second-order polynomials under the size types. To work with size bounds, 
we introduce the size types and a typing of second-order polynomials under these types. 
The size types parallel the intuitionistic part of ATR's type system. 

Definition 17. 

(a) For each ATR type a, let l-rl = a[N : = T]. (E.g., |N^ No| = T, ^ To.) These 
|ct|'s are the size types. All the ATR-types terminology and operations (e.g., shape, tail, <:, 
oc, etc.) are defined analogously for size types. 



^^Hofmann's work on non-size-increasing functions |Hof03l IHof02| provides a nice example of a type 
system for fine control of sizes, but that system is not helpful in dealing with the F2 or findk examples. 
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(b) The typing rules for the second-order polynomials under the size types consist of 
Id-I^ ^-I, and ^-E from Figure [2] and the rules of Figure 

Recall the /^-semantics for second-order polynomials introduced in ^2.121 We provision- 
ally take jC[cr] = Clshape{a)} and define h p: o"] as before. Later, a pruned version of 
the £-semantics will end up as our intended semantics for the second-order polynomials to 
parallel our pruning of the V-semantics for ATR. 

The following definition formalizes what it means for an ATR expression to be polyno- 
mially size-bounded. N.B. This definition heavily overloads the "length of" notation, |-|. In 
particular, if x is an ATR variable, we treat \x\ as a size-expression variable. Definition lisrc) 
is based on a similar notion from |IKR02j . 

Definition 18. Suppose F; A h e: o" is an ATR-type judgment. 

(a) |F; A| = { \x\ ^ \a\ i (F; A)(x) =a}. 

(b) For each p € V[F; A], define \p\ € /:[|F; A|] by \p\{\x\) = \p{x)\H 

(c) We say that the second-order polynomial p bounds the size of e (or, p is a size-bound 
for e) with respect to F; A when |F; A| h p: \a\ and [V|e] p\ <|o-| Cfpj \p\ for all p £ V|F; A]. 
(The "with respect to" clause is dropped when it is clear from context.) 

Lemmas \T9\ \2T\ and [22] below note a few basic properties of the second-order polyno- 
mials under the size types. Lemma [2T] connects the depth of a second-order polynomial p 
and the depths of the types assignable to p. Lemmas [19] and [20] follow by proofs similar to 
those for Lemmas 1121 and [T4l Lemma [2TTs proof is a straightforward induction on judgment 
derivations, and Lemma [22] is just an observation. Terminology: Inductively define 0^ by: 
Oj^ = and = Ax.O^. By abuse of notation, we often write 0^ for -^[1- 0^: 7]{}. 

Lemma 19 (Subject Reduction). Suppose Ti\- p:a and p (3rj-reduces to p' . Then S h p': a. 

Lemma 20. S h Xx.p: (a) T^ if and only if T,,x:(t\- p: T^. 

Lemma 21 (Label Soundness). Suppose Ti\- p:a has a derivation in which the only types 
assigned by contexts are from { } U { (N^) — > Nn^ I k > 0}. Then depth{p) < depth{a). 

Lemma 22. 0^ is the least element of CIjJ under the pointwise ordering. 

6.2. Semantic troubles. The naive (and /afee.') ATR-analogue of Proposition [T] is: 
For each F; A h e: a, there is a pe that bounds the size of e with respect to F; A. 
Example 1231 illustrates the problems with this. N.B. If the definition of BCL had allowed 
unrestricted free variables of type- level 1, the problems of Example 1231 would have occurred 
in that setting too. 

Example 23. Let ei and 62 be as given in Figure [T5l let prn be as in Figure [T3l and let 
dup be an ATR- version of the definition in Figure [8] 

(a) Suppose Fi = gi:No —>■ and pi = {gi i—> \z € N.z}. Then |V[ei]/9i| = 
An S uj.n'^ . Note |/0i(9i)| = An € uj.n is a polynomial function. The problem is that 
Pi (51) = G N.x subverts the intent of the type-system by allowing an unrestricted flow 
of information about "safe" values into "normal" values 

-'^'^N.B. The I ■ I in "|a;|" is syntactic, whereas the | ■ | in and "|p(a;)|" are semantic. 

By using a similar trick and the full power of crec, one can write nonterminating ATR programs. 
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// Assume gi. ^ N^. 
Ax, y. if x ^ e then [dup (gi y) (gi y)) else w 

// Assume 52: No —>■ No- 
\x,y. \f X e then (f;2 2/) else w 

Figure 15: Two problematic programs 



(b) Suppose r2 = g2-^o and p2 = {92 ^ Xz ^ N.zQz}. Then |V[e2]/92| = 

An S w.n2"'. Note 1/92(52)1 = An G a;.2n is a polynomial function. The problem is that 
P2{g2) = Ay G N.y®y subverts the fundamental restriction on the sizes of "safe" values in 
growth-rate bounds as in Proposition [Hb). 

The problem of Example [23ja) is addressed in ^ by pruning the C- and V-semantics 
to restrict impredicative-type values. The problem of Example [23lfb) is addressed in ^by 
further pruning to restrict flat-type values. 

7. Impredicative types and nearly well-foundedness 

Failing to restrict impredicative-type values leads to problems like the one of Exam- 
ple [23ja). These problems can be avoided by requiring that each impredicative-type value 
have a length that is nearly well-founded. 

Definition 24. A t G -^17] is ^-well-founded when 7 = T^ or else 7 = (cti, . . . ^at) — > T^ 
and, for each i with tail{ai) :> T^, the function t has no dependence on its i-th argument. 
A t is nearly ^-well-founded when there is a 7-well-founded t' such that t < t'. 

Remark 25. Why nearly well-founded? The natural sources of ATR-terms with impred- 
icative types are the if-then-else and down constructs. Let c = Xx,y,z.{\f x then y else z) 
and d = Ax, y. (down x y), where h c: (N^, N^', N^^) — s- N^/, h d:(N£,N£/) — s- N^/, and i > I'. 
Thus |c| G £[|(N^, N£/, N£/) N^,]] and \d\ G >C[|(N^, N^O ^ N^/IJ. Neither |c| nor \d\ is well- 
founded since |c| = Xk,m,n.{m, if A: = 0; n, otherwise) and \d\ = Xk,m. min(A:,m). How- 
ever, both |c| and \d\ are nearly well-founded as |c| < Xk,m,n.{my n) and |d| < Xk,m.m. 

Lemma 26. Suppose S h p: cr, p £ -Cp], and p{x) is nearly T,{x) -well-founded for each 
X G preimage(S). Then ClpJ p is nearly a -well-founded. 

Lemma [26] follows by a straightforward induction and indicates that a semantics for 
the second-order polynomials based on nearly well-foundedness will be well defined. Ter- 
minology. The restriction of / G {Xi, . . . , Xf^) — > y to {X[, . . . , X'f^) — > Y (where X[ C 
Xi, . . . C Xk) is Axi e X[, . . . ,Xk e . . .,Xk). 

Definition 27 (The nearly well-founded semantics). 

(a) Inductively define /^nwfbl by: >Cnwf[T^l = t^- For 7 = (cji, ...,ak) Te, C^^wibl 
is the restriction to (/^nwrli^il, • • • , -Cn^f [cifc]) — > /^nwflT^l of the 7-nearly well-founded ele- 
ments of CIjJ. Define >Cnwf [S] and £nwf P h p: 7] in the standard way. 

(b) Inductively define Vnwf hi by: Vnwf [Nf] = N. For 7 = (ai, . . . , cjfc) ^ N^, Vnwf hi is 
the restriction to (Vnwf[fTil, . . . , VnwfKl) ^ Vnwf[N^l of the / G V^j with |/| G ^nwflbll- 
Define Vnwf [F; Al and Vnwf [F; A h £^: 7] in the standard way. 



ei:Ne No = 

Xw. let hi: No ^ No ^ No = 
in prn hi w 

621 Ne ^ No = 

Xw. let h2: No ^ No ^ No = 
in prn /i2 w 
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(c) We write p =nwf p' when ^nwf P ^ P- 7l \p\ = >Cnwf P I" p'- tI \p\ for all |p| G /^nwf P]. 
We define <nwf i ^nwf i • • • analogously. 

There is still a problem with impredicative-type values. In deriving closed-form upper 
bounds on recursions, we often need a well-founded upper bound on the value of a variable 
of an impredicative type. There is no effective way to obtain such bound. We thus do the 
next best thing: give a canonical such upper bound a name and work with that name. 

Definition 28. We add a new combinator, p, to the second-order polynomials such that 
>CnwfP l~ (pp):7l \p\ = the least 7-well-founded upper bound on >CnwfP l~ P'-l} \p\- (See 
Figure [T71 for p's typing rule.) For each variable x, we abbreviate (px) by px- 

The choice p makes is analogous to choice of a in the situation where one knows 
/ € 0(n) and picks the least a £ uj such that f{n) < a ■ (n + l) for all n € w. In most uses, 
Px^s are destined to be substituted for by concrete, well-founded terms. 

To help work with terms involving impredicative types we introduce: 

Definition 29 (Shadowing). Suppose S \- p:a. An occurrence of a subterm r of p is 
shadowed when the occurrence properly appears within another shadowed occurrence or 
else the occurrence has an enclosing subexpression (t r) where the occurrence of t is of an 
impredicative type a ^ t with tail{a) :> tail{T). A variable x is a shadowed free variable 
for p when all of x's free occurrences in p are shadowed; otherwise x is an unshadowed free 
variable for p. 

8. Safe upper bounds 

The restriction to the Vnwf-semantics solves the problem with impredicative types, but 
not the problem with flat types. To work towards a solution of this later problem, in this 
section we introduce the notion of a safe second-order polynomial (Definition [30]) and show 
that any expression (in a simplification of ATR) that does not involve flat- type variables has 
a safe upper bound. The next section proposes a solution to the flat-type problem: that 
each flat-type length must have a safe upper bound. Theorem H3t in ^10] shows that this 
proposed solution does indeed work. Convention: In this section b, 7, cr, and r range over 
size types. In writing p = {xpi ... p^), we mean x is a variable and, when k = p = x. 

Definition 30 (Strictness, chariness, and safety). Suppose S 1-^:7. 

(a) We say that p is h-strict with respect to S when tail{'y) <: b and every unshadowed 
free- variable occurrence in p has a type with tail <: b. 

(b) We say that p is h-chary with respect to S when 7 = b and either (i) p = (x qi - ■ ■ qt) 
with each q^ b-strict or (ii) p = pi V • • • Vpm.) where each pi satisfies (i). (Note that sneaks 
in as b-chary; take m = in (ii).) 

(c) We say that p is 'j-safe with respect to S if and only if 

(i) when 7 = Tn^, then p =nwf Q V r where q is 7-strict and r is 7-chary, 

(ii) when 7 = T^^, then p =nwf q + r where g is a 7-strict and r is 7-chary r, and 

(iii) when 7 = o" ^ r, then (px) is r-safe with respect to S, x: a. 

With the above notions, we drop the "with respect to S" when S is clear from context. 
Examples: Recall the bound p + Vj=i lUjl of Proposition [T][|b). In terms of the size- 
types, the subterm p is To-strict, the subterm Vj=i IVjl To-chary, and hence, p + Vj=i l^il 
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s-I: 



S h (s s):T, 



S h s:T, 



R-I: 



So I" sq; T^/ Til El h si: E2 h S2: T^/ 



So USi US2 h (R so si S2):T^' 



( 



I' ^ 



) 



Figure 16: The additional typing rules for GR 



is T^-safe. Roughly, Proposition [T] implies that each BCL expression has a safe size-bound. 
Note that if /: No Nno and x: No, then |/|(|x|) is Tno-chary, but not Tno-strict. 

Strictness and chariness are syntactic notions, whereas safety is a semantic notion be- 
cause of the use of =nwf in Definition [30lf c) . Thus: 

Lemma 31. IfS \- p:h and p is h-strict or h-chary, then p is also h-safe. 

Proof. Since is both b-strict and b-chary and since p =nwf P VO =nwf Vp =nwf P + =nwf 
0+p, the lemma follows. □ 

The next lemma notes a key property of safe second-order polynomials. 

Lemma 32 (Safe substitution). Fix T,. Given a ^-safe pq, a a -safe pi, and a variable x 
with = a, we can effectively find a j-safe p'q such that pq[x : = pi] <nwf p'o- 

Proof. Except for the case when pi is a A-expression, the argument is a straightforward 
induction. When pi is a A-expression, the substitution can trigger a cascade of other substi- 
tutions to deal with. However, as we are working with an applied simply-typed A-calculus, 
strong normalization holds |Win93] . and hence, these cascades are finite. Consequently, to 
deal with this case we simply use a stronger induction than before, say on the syntactic 
structure of po and pi and on the length of the longest path of /3-reductions to normal form 
of po[x : = pi]. This is fairly conventional and left to the reader D 

Remark 1251 informally argued that if e, an ATR expression, does not involve impredica- 
tive-type variables, then |e| has a well-founded upper bound. The analogous argument here 
would be that if e does not involve flat-type variables, then |e| has a safe upper bound. This 
assertion is true, but not so interesting because most natural crec-expressions have their 
recursor variable of flat type. To get around this problem we introduce a little formalism, 
GR (for growth rate) which includes a simple iteration construct that does not depend so 
heavily on flat-type variables and which captures ATR's growth rate properties including 
ATR's difficulty with flat-type values. We show in Theorem 1341 that GR expressions that do 
not involve flat- type variables have safe upper bounds. 

Definition 33. GR's raw terms are given by: 5 : : = 0* | {y S S) \ {s S) \ {R S S S) \ X 
\ (S S) \ {XX .S). The typing rules for GR consist of -^-I and ^-E from Figure [21 Zero- 1, 
Const-I, Subsumption, Shift, and V-/ from Figure [TU and s-I and R-I from Figure 1161^1 
The intended interpretations of V, s, and R are: (Vinn) = max(m,n), (s m) = m + 1 , and 



We straightforwardly extend the £nwf-semantics for second-order polynomials to GR. 
Note: £nwfIAm,n.(R / m n)} p = Xm,n E a;.n2"^ when p{f) = A/c € uj.2k. So GR has 
familiar problems with flat- type values. We note that the GR analogues of Lemmas [T9l 
[20| and [22] all hold. Terminology: \- s: a \s fiat-type-variable free when no variable is 
explicitly or implicitly assigned a flat type by the judgment. 

-'^^Alternatively, the lemma's proof could be done through a logical relations induction [Win93] . 
-'^'^Recall from 33 that succ{£) = the successor of £ in the ordering on labels. 



{Rfmn) = f^'^Hn). 
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Theorem 34. Given a flat-type-variable free S h s: 7, we can effectively find a j-safe ps 
with respect to T, such that s <nwf Ps- Moreover, we can choose ps so that all free variable 
occurrences are unshadowed. 

Proof. Without loss of generality we assume that s is in /3-normaI form. The argument is 
a structural induction on the derivation of S h 5:7. We consider the cases of the last rule 
used in the derivation. Let d range over uj. 

Case: Zero-I. Then s = and 7 = T^. So = suffices since is Tg-strict. 

Case: Const-I. Then s = k and 7 = T^. So ps = k. suffices since k is T^-strict. 

Case: Id-I. Then s = a variable. Subcase: 7 is a base type. Then ps = x suffices 
since x is 7-chary. Subcase: 7 = (uo, . . . , cr^) b. (Recall the introduction of Pa; in 
Definition 1281) Let S' = S, xq: ctQ) • • • > ^^fc^ (^fc a-nd p' = (p^ pQ ... p^) where, for each i, 
Pi = Xi if tail{(Ti) <: b, and pi = 0^.., otherwise. (Note that since s is flat-type- variable free, 
tail{ai) 7^ b for each i.) Then p' is b-chary with respect to S' and {x xq ... Xk) <nwf p'- It 
follows that Ps = Xxq, . . . ,Xk.p' suffices. 

Case: -^-I. This case follows by the induction hypothesis and clause (iii) in Defini- 
tion EQl^c). 

Case: ^-E. This case follows by the induction hypothesis and Lemma [32l 

Case: Subsumption. Then by Subsumption we know that S h 5:7' where 7' <: 7. 
Without loss of generality, we assume 7' <: 7. By the induction hypothesis there exists p, 
a 7'-safe size-bound for s with respect to S. It follows from Definition [30] that p is 7-strict 
with respect to S. Hence, Ps = P suffices. 

Case: Shifl. Recall that if (cj) — > b oc [a') — > b', then, for each i, tail{ai) <: b implies 
tail{a'^) <: b' and tail{ai) = h implies tail{a'^) = h'. Thus this case follows from Lemma [20l 
(in both its second-order polynomial and GR versions) and Definition 1301 

Case: s-I. Then s = (s si) and 7 = To^. So by s-I, we know that S h siiT^^ and 
by the induction hypothesis we have that there is a T^^-strict q and a T^^-chary r with 
•51 <nwf q + r. Thus Ps = {q + 1) + r suffices since g -|- 1 is To^-strict. 

Case: V-/. Then s = (V sq si). SUBCASE: 7 = To^. So by V-/ we know that 
So \~ sq: To^ and Si h si: To^, where S = Sq U Si. By the induction hypothesis, there are 
To^-strict qo and qi and To^-chary rg and ri such that sq <nwf Qo + '^o and si <nwf Qi + i^i. 
Thusps = (goVgi) + (roVri) suffices since s <nwf {qo + ro)y (qi + ri) <n„f (goVgi) + (ro Vn) 
and since (qo^/ qi) is T^^-strict (ro Vn) is To^-chary with respect to S. SUBCASE: 7 = Tn^. 
This follows by an easy modification of the above argument. 

Case: R-I. Then s = {R sq si S2). Subcase: 7 = To^. So by R-I, we have Sq h 
so:To^ — > To^, Si h si:Tn^, and S2 h S2.T(^^, where S = S0US1US2. Since s is flat-type- 
variable free, we must have si = Xz.s[ where So, z: T^^ h s[: T^^. Hence, by the induction 
hypothesis, there are To^-strict qo and q2, To^-chary ro and r2, and Tn^-safe pi such that 
•s'l <nwf Qo + '^O) si <n„f pi, and S2 <nwf Q2 + ^2- Note that pi is also To^-strict. Suppose 
z has no free occurrences in go + ^o. Then it follows that s <nwf {qo + '"o) V {q2 + r2) <nwf 
ilo V 52) + ('^o V r2); so ps = (go V 52) + ('"o V r2) suffices. Now suppose z does have a 
free occurrence in qo + ro. Since qo is To^-strict, z cannot occur in go- Since s is flat- 
type-variable free, it follows that ro =nwf z\/ r^ where z has no free occurrences in Tq and 
where rg is To^-chary. By the inequality g + (g' + r') V r < (g + g') + r' V r, it follows that 
s <nwf {Pi *qo + q2) + {r^ V r2). So, Ps = {pi * go + Q'2) + (''o V r2) suffices. (Note the parallel 
to the proof of Proposition [TJ) Subcase: 7 = Tn^. This follows by an easy modification of 
the above argument. □ 
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p-I: 



q-I: 



r-I: 



Eh (pp):a 



Eh (qp):c7t 



E h (rp):cr* 



Figure 17: Typing rules for the p, q, 



and r combinators 



9. Flat types and well-temperedness 



To avoid problems like the one of Example I23fb). flat-type values need to be restricted. 
The GR formalism of the previous section is subject to roughly the same problem as that of 
Example I23lfb). but by Theorem 1341 flat-tvpe- variable free GR expressions have safe second- 
order polynomial bounds. This suggests that a solution to the flat-type values problem is to 
require all flat-type values to have safe size-bounds. We call this property well-temperedness, 
meaning: all things are in the right proportions. 

Definition 35. A t S £nwf[7] is j-well-tempered when 7 is strict or when 7 is flat and 
there is a closed, 7-safe s with t < C^^^flsJ. 

Lemma 36. Suppose T, \- p:a, p £ and p{x) is T,{x) -well-tempered for each 

X G preimage(S). Then /3nwf W P is a -well-tempered. 

Lemma [36t s proof is an induction on the derivation of E h p: a. Everything is fairly 
straightforward except that the -^-E case depends critically on Lemma [32j Lemma [36] 
indicates that a semantics for the second-order polynomials based on well-temperedness 
will be well defined. 

Definition 37 (The well-tempered semantics). 

(a) Inductively define £wt[o-l by: £„t[T^l = io and, for a = (cJi, . . . , Uk) T^ , C^tl(y\ 
is the restriction to (£wt[cili • • • i-Cwtlcfc]) — > ^CwtlT^J of the ci-well-tempered elements of 
£n„f [fj]. >C„tPl and jCwtP l~ P'- f'"! are defined in the standard way. 

(b) Inductively define VwtH by: VwtlN^l = N and, for a = (di, . . . ^ N^, VwtH 
is the restriction to (Vwt[o-il, • • • , Vwtl<7fc]) VwtlNJ of the / E VnwfH with [/[ € £wt[|o-|l. 
Vwtp; A] and VwtlT; A h i?: a] are defined in the standard way. 

(c) We write p =wt p' when >Cwt[S l~ P- c^l \p\ = >Cwt[S l~ p''- c^l \p\ for ah \p\ G /^„t[S]. 
We define <wt5 >wt5 • • • analogously. 

There is still a problem with flat-type values. To give closed-form upper bounds on 
recursions, we sometimes need to decompose a safe flat-type polynomial into strict and 
chary parts. (Recall that safety is a semantic, not syntactic, notion.) For flat- type- variable 
free safe polynomials this is easy. A way of breaking flat-type variables into strict and chary 
parts would allow us to extend this decomposition to all safe polynomials. We introduce 
two new combinators to effect such a decomposition. Since there is no canonical way to do 
this decomposition, we take a different (and trickier) approach from that of Definition [28l 
Terminology: Let (b)t = (b)^ = b, ((<?) ^ b)t = {a') b, and ((<?) ^ b)^ = {a") b, 
where a' = the subsequence of Ui's in a with tail{ai) ^ b and a" = the subsequence of fjj's 
in a with fij 7^ b. (Recall: () — > b = b.) 

Definition 38. We add two new combinators, q and r, to the second-order polynomials 
with typing rules given in Figure [T71 Suppose S = wi:ti, . . . ,Wn-Tn, S h p:j, and 
p G /^wtp]. For 7 strict, define C„tl{q.p)j P = O^t and C„tl{rp)j = C„tl{pp)j- Suppose 
7 = (fJo, . . . , o-fc) ^ b is flat. Let ( = (f, a) b, (cr-^ , . . . , cj-^) ^ b = 7+, {a'-^,..., a'-J 
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b — , X — Xq X — — Xj^ ) • • • ) -^jn ) <^Ild. { Zi , . . . , Zu } — { Wi i Tj — 

b}U{3;jlTj = b} where the ZiS are all distinct. Define >CwtI(qp)l = >C„t[Ax'.g] and 
£wtl(rp)l = jCwtIAx".r], where (i) q is b-strict with respect to S, x: a, (ii) r is b-chary with 
respect to S, x: <? and r has no occurrence of any Zj, and (iii) 



>Cwt[l~ Aw, X. (g + r V zi V . . . V Zu)'- Cli for computational 7; 

>Cwt[l~ ^w, X. (g V r V zi V . . . V Zu): CI; for oracular 7. 

For each variable x, we abbreviate (qx) by q^^ and (rx) by r^.. Also, we take (q^^x') as 
being b-strict and (r^^ x") as being b-chary. 

Example 39. By the definition of prn given in Figure [T3] and our proof sketch for Propo- 
sition [H it follows that \prn\ <„t A|e|, |x|. ( (|x| + 1) * q|e|(|2;j) + r|e|(|2;|) )• 

By Definitions ES] and EZl q and r as in Definition [35] must exist. By the axiom of 
choice, there are functions that pick out particular q and r. N.B. The choices of q and 
r are arbitrary subject to satisfying conditions (i), (ii), and (iii) of Definition The 
semantics for the second-order polynomials is thus parameterized by the functions that pick 
out the required g's and r's. The choices q and r make are analogous to the choices of a 
and 6 E u; in the situation were one knows that / G 0{n) and picks some arbitrary a and 
h such that f{n) < a ■ n + b for all n. Such a and b can be used in constructing algebraic 
upper bounds on expressions involving /. If later we determine concrete oq and &o such 
that f{n) < ao ■ n + bo for all n, then said algebraic upper bounds are still valid after the 
substitution [a : = aQ,b : = b^] since the choices of a and b were arbitrary. 

Definition 40. Suppose S h p: 7, where {yi, . . . ,yk} = {y l ^{y) = tail{'y) }. We say that 
p is manifestly j-safe with respect to S if and only if the only applications of the p, q, and 
r combinators are to variables, and: 

(a) when 7 = Tn^, thenp is of one of the forms: q, r\/yi^\/ . . .yyi„, and q\/r\Jyi^\/ . . -Vyi^, 
where q is 7-strict, r is 7-chary with no occurrences of any of the i/j's, and {yii, ■ ■ ■ ,yi„} is 
a (possibly empty) subset of { yi, . . . , y/c }; 

(b) when 7 = T^^, then p is of one of the forms: q, rVyi-^V. . -^/yi^, and q+rMyi^ V. . - "Vyi^, 
where q, r, and {yii, ■ ■ ■ ,yi„} are as in (a); and 

(c) when 7 = (do, . . . ,crm) — > b, then the /3-normal form of {p x) is manifestly b-safe 
with respect to S, xq: o"0i • • • 1 Xm- Cm- 

Lemma 41 (Manifestly safe substitution). Fix S. Given a manifestly ^-safe po, a mani- 
festly a-safe pi, and a variable x with S(x) = a, we can effectively find a manifestly 'j-safe 
p'q such that po[x : = pi] <nwf p'o- 

Proof. This is a straightforward adaptation of the proof of Lemma [32j □ 

We now have a reasonable semantics for ATR and the tools to work with this semantics 
to establish (in Theorem I43|) a safe polynomial boundedness result for ATR, where: 

Definition 42. Suppose F; A h e: a. We say that p is a \a\-safe polynomial size-bound for 
e with respect to F; A when p is a |cr|-safe second-order polynomial with respect to |F; A| 
and |Vwt[el p\ < -Cwtlpl \p\ for all p G Vwt[F; A]; if in addition p is manifestly |o"|-safe with 
respect to F; A, we say that p is a manifestly \a\-safe polynomial size-bound for e with 
respect to F; A. (The "with respect to" clause is dropped when it is clear from context.) 
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10. Polynomial size-boundedness 



Theorem 43 (Polynomial Boundedness). Given r;A h 6:7, we can effectively find pe, a 
manifestly |7|-sa/e polynomial size-bound for e with respect to F; A. 

Proof. The argument is a structural induction on the derivation of P; A h 6:7. We consider 
the cases of the last rule used in the derivation. Excluding the crec case, everything is 
fairly straightforward. Fix p G Vwt[r;A]. Note that |VwtI'l/o| is invariant under /3- and 
r/-equivalence. So without loss of generality, we assume that e is in /3-normal form. 

Cases: Int-Id-I and Aff-Id-I. Then e = x, a variable. Subcase: 7 is strict. Then 
Pe = \x\ clearly suffices. Subcase: 7 is flat. Hence, level{'y) = 1. Let (bp, . . . ,b;^.) ^ b = 7. 
Then by Definitions [37] and [38l 



suffices, where = the subsequence of the |xi|'s with b^ 7^ b and {yi,...,y^} = {y I 
(F, xq: bo, . . . , Xfc: b^; A)(y) = b }, and where = +, if 7 is computational, and = V, if 
7 is oracular. 

Case: Zero-I. Then e = e and 7 = N^. Clearly Pe = suffices. 

Case: Const-I. Then e = some constant k and 7 = N^. Clearly pe = \k\ suffices. 

Case: ta-/. So 7 = No^ for some d. Clearly Pe = X suffices. 

Case: d-I. Then e = (d e') for some e' and 7 = N^^ for some d. By the induction 
hypothesis, there is Pe', a manifestly T^^-safe polynomial size-bound for e' with respect to 
F; A. Clearly pe = Pe' suffices. 

Case: down-7. Then e = (down cq ei) with F;A h eo:bo, F; A h ei:bi, and 7 = bi. 
By the induction hypothesis, there manifestly |bi|-safe polynomial size-bound for 

ei with respect to F; A. Clearly p^ = suffices. 

Case: Ca-/. Then e = (Ca e') for some e' and 7 = No^ for some d. By the induction 
hypothesis, there is pe', a manifestly To^-safe polynomial size-bound for e' with respect to 
F; A. Clearly Pe = 1 + Pe' suffices. 

Cases: Subsumption and Shift. These follow as in the proof of Theorem [34l 

Aside: For the arguments for the -^-I and -^-E cases below, recall from §2.10l that (|2.2p 
and (|2.3p provide the definition of length for elements of TC of type-level 1 and type-level 
2, respectively, and that higher-type lengths are pointwise monotone nondecreasing. 

Case: — >-/. Then e = Xx.e' and 7 = u ^ r. By our induction hypothesis, there 
is a Pe', a manifestly |r|-safe polynomial size bound for e' with respect to F,x:ct; A. Let 
Pe = X\x\.pe'. By Definition [SOT cl. pe is manifestly |7|-safe with respect to |F;A|. Let v 
range over Vwtlo"]- Then, for each t € >Cwt He'll, we have the chain of bounds of Figure [T8l 
Clearly this pe suffices. 

Case: Then e = (eo ei) and for some a we have that F; A h cq: o" — > 7 and 

F;_ h ei:a. By the induction hypothesis, there are pe^ and such that peg is a manifestly 
(|(t| |r|)-safe polynomial size bound for cq and is a manifestly |(T|-safe polynomial 
size-bound for ei. By Lemma [5T] we can effectively find a manifestly 7-safe pe such that 
iPeo Pei) <wt Pe- Then we have the chain of bounds of Figure [19l Clearly this pe suffices. 

Case: //-/. Then e = (if eo then ei else 62). By the induction hypothesis, there are 
Pei andpe2 5 manifestly |7|-safe polynomial size-bounds for ei and 62 respectively. Clearly 

Pe = Pei V Pe2 SufficeS. 

We have just one case left, but now the real work starts. 
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VwtIAx.e>| (t) 

= max{ |(VwtIAa;.e'lp)(^;)| \\v\<t} (by ^ and 

= max{ KVwtle'l (p U { a; u })| ! |w| < i } (by the Vwt-interpretation of A-terms) 

< max{ (£wtIPe'l (IpI U { |a;| i-^ }) \ \v\ <t} (by the choice of pe') 

< (^wtbe'l {\p\ U{\x\^t}) (by monotonicity) 

= (£wt|A|x| .pe'l |p|)(^) (by the £wt-interpretation of A-tcrms) 

= (£wt|pel |p|)(t) (by the choice of pe). 

Figure 18: Bounds for the — >-/ case 



|VwtI(eo ei)]p| 

= I ("l^wt [eo] p) (Vwt [ei] I p) I (by the Vwt-interpretation of application) 

< (iVwtleolpI) (|VwtIei]p|) (by ^ and ^) 

< (£wtbeol IpI) (-Cwtbeil \p\) (by monotonicity and the choices of Peo and PeJ 
= £wt|(Peo Pei)] IpI (by the £wt-interpretation of apphcation) 

= CwtlPe] \p\ (by the choice of pe)- 

Figure 19: Bounds for the — case 



Case: crec-/. Then 7 — (bi,...,bfc) — > bg G TZ, so bi — for some di, and 

e = (crec a {Xrf.A)) with a G 0*, r;/:7 h A: 7, and TailPos{f, A). (Recah: Tai/Pos 
is defined in Figure [TTJ) For simphcity we assume { bi, . . . , b^ } = { N^, . . . , Nn^ ^ , Nq^^ } 
U {b I Nn^^ <: b <: b^ax } for some bmax- Without loss of generality we suppose: 

A = Xxi,. . . ,Xk.B, (10.1) 

where F; /: 7 h B: bg for F = F, xi:hi, . . . , x^: b^, B is in /3-normal form, and TailPos{f, B). 

Aside: To find pe for this case, we analyze e's tail recursion and determine size bounds 
on how large the tail-recursion's arguments can grow. In particular, we show that there 
is a polynomial bound beyond which the first argument cannot grow; hence, by ()4.2p . this 
polynomial bounds the depth of e's tail recursion. From this bound on recursion depth and 
from the size bounds on the tail-recursion arguments, constructing P(. is straightforward. 
To derive these bounds, we proceed a little informally and work with unfolded versions of e. 

Consider the occurrences of / in B. Since we have TailPos{f,B) and F;/:7 h -B:bo, 
these occurrences must have enclosing expressions of the form (/ ei ... e^), where F;_ h 
ei:bi,...F;_ h efc:bfc. For a given such subexpression of B, we know by the induction 
hypothesis that, for each i = 1, . . . ,k, there manifestly bj-safe polynomial size- 

bound for ei with respect to F;_. Since / occurs but finitely many times in B, we may 
choose pi, ■ ■ ■ ,Pk so that they bound the size of the corresponding argument expressions 
for every /-application in B. Without loss of generality, we assume that if bj = bj, then 
Pi =Pj- 
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Using the crec reduction rule ()4.2p . we expand out one- level of e's crec-recursion and, 
by using and r/-reductions, clean things up to obtain 

e*-"^^ = Ax. if \a\ < \xi\ then B else e, where 

B = the /3?7-normal form of 5 [/ : = (crec (Oeo) {Xrf.A))]). 

Clearly, Vwtle| = Vwtle^"^^]. Let ^ denote the substitution [|xi| := pi,...,|xfc| := p^]. 
From our choices of the pi's and B it follows that (pi^), . . . , {pkO bound the size of the 
corresponding argument expressions for every /-application in B. For each i, (pi^) can 
be equivalently expressed in terms of pi as follows. Terminology: An r is strictly h-chary 
when r is b-chary and contains no occurrences of type-b variables 

{Note: In working through the proofs of Lemmas HH and US] below, the reader many 
want to consider the case of: 7 = (Nn^, Nn^, No^) N^-^, / has but one occurrence in 
A, |x2|, Ixsl) = |5|(|2;2|) V p2(|a;i|, |a:2|, Ixsl) = |x2|, and P3(|a;iU2;2|, |x3|) = 

(?3(|xi|, |x2|) + |x3|, where g: N^p Nn^ and where 53 is an ordinary polynomial.) 

Lemma 44 (The one step lemma) . Each pi can he taken so that: 
(a) If hi <: Nn^^, thenpi^ =„t Pi- 

(h) If Nn^^ <: bj = Nn^, then there is a hi-strict qi and a strictly hi-chary ri such that 

Pii =wt qii^ Ti^y Pi. 

(c) //Nn^^ <: hi = No^, then there is a hi-strict qi and a strictly h^-chary ri such that 
Pii =wt qii + ri^y Pi- 
Proof. For each d, let: 

{ui...,ui}''^'{uir{u) = MuA. {u;o^...,4} = {nir(n) = N,,}. 

{4, . . . ,< } {x, : b, = Nn, }. {wi . . . ,wi,^ } "^'{x. i b, = N,, }. 

(The m's and uJ's correspond to the arguments of the recursion while the u's and w's corre- 
spond to the other parameters.) 

For part (a), we inductively consider the cases of bj = N^, Nn^, . . . , Nn^^ in turn. 

Case: bj = N^. By the induction hypothesis, we may take pi to be g V r V t V t, where 
q is Top-strict, r is strictly Tn^-chary, t = VaLo l^al' t = Va=o l^al- follows from the 
size typing rules that the only TnQ-strict terms are =„t 0- So, it suffices to take pi = rVtVt. 
Note that r = r^ and t = tS^ since neither r nor t have any occurrences of any v^. Also 
recall that we are assuming that if bj = b^, then pi = pj. Thus, for each a, ^ = Pa = Pi- 
So, t =„t Pi = r\J t\/t. Consequently, 

Pii =wt {rytyt)i =„t r^ytiyti =„t rV?V(rV?Vt) =wt rytyt =wt Pi- 

Hence, our choice of pi suffices for this case. 

Case: bj = Nn^. By the induction hypothesis, we can takepj to be of the form qy rytyt, 

where q is Tn^-strict, r is strictly Tn^-chary, t = Va=o l^al' ^ ~ Va=o l^al- 
consider q. Since F does not assign any of xi, . . . , x^ the type N^g, the only variables from 
xi, . . . ,Xk whose lengths can occur in q are those assigned type N^. Let q = qS,i where for 
each i' with bj/ = N^, we take pi' to satisfy part (a). Hence, it follows that q^ =wt Q- Also, 
by the monotonicity of everything in sight, we have that q <wt Q- By the same argument. 



an r may contain occurrences of variables of types of the form (ao, . . . ,ak) —> h. 
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for r = r ^ we have that r ^ =wt r and r <wt r. So, it suffices to take pi = g V rVtVt. Note 
that t = since t has no occurrence of any u^. Also recall that we are assuming that if 
hi = hj, then pi = pj. Thus, for each a, \ul^\C = Pa = Pi- So, =„t Pi = qV rV t\/t. 
Consequently, 

Pi^ =wt (gvf v?vt) e =„t ?^ vf^ v?e VtC =wt 

g Vf Vfv (g Vf V?V t) =wt q\Jr\Jt\Jt =wt Pi- 

Hence, our choice of suffices for this case. 

Cases: bj = Ndj, . . . , Nn^^ . These cases follow from essentially the same as argument 
given for the bj = Nq^ case. 

Therefore, part (a) follows. 

We henceforth assume that pi satisfies part (a) for each i with bj <: Nn^^ . 

For parts (b) and (c), consider the cases of b, = No^^ , Nn^j^+i bmax in turn. 
Case: bj = N^^ . By the induction hypothesis, we may take pi to be of the form 
^ _ ^ b' _ c' 

q + rVtVt, where q is To^^-strict, r is strictly To^^-chary, t = Va=o l^aM; ^-nd t = Va=o l^aM- 

Note that as in the previous cases, i = t^. Also recall that we are assuming that if bj = hj, 
then Pi = pj. Thus, for each a, \w^^ \ C = Pa = Pi- So, t ^ =wt Pi = q + r\Jt\Jt. Consequently, 

Pii =wt {q + rytyt)i =wt qi + r^ytiyti =wt 

qi + riyty{q + rytyt) =„t qi + r^y {q + rytyt) =„t qi + r^ypi. 

Hence, taking qi = q and ri = r suffices for this case. 

Case: bj = Nn^ By the induction hypothesis, we may take pi to be of the form 
^ _ ^ h' 

q y r y t y t, where q is Tn^^^^-strict, r is strictly Tn^^^^-chary, t = Va=o^ I'^a^^"'^!' ^-nd 

c' 

t = VaSo^ l^a^^^l- By an argument similar to the one for the previous case it follows that 
taking qi = q and ri = r suffices for this case too. 

Cases: bj = No^ ^j, . . . , bmax- These cases follow from essentially the same as argu- 
ments as given for the previous two cases. □ 

Lemma 1441 

Henceforth we assume that each pi is as in LemmaSHand, in the cases where Nn^^ S- bj, 
qi and rj are as in that lemma too. For each n uj, define 

e(") = the /^-normal form of the n-level unfolding of e's crec-recursion, (10.2) 

where /9- and r/-reductions are used to neaten up things as in the definition of e^^^. So, 
eC^) = e and e^^^ = our prior definition of e^^\ Let ^^'^^ = the empty substitution and 
^(n+i) = ^ o = the (n + l)-fold composition ^. It follows that, with respect to r;_, for 
each i and n, {piC^"^^) is a size bound for i-th argument expression of every /-application 
in e("). 

Lemma 45 (The n step lemma). For each i and n: 
(a) Pi^'^'^^ =wt Pi when bj <: Nn^^ . 

(h) Pi <wt {qi V rj) V Pi when Nn,^ <: bj = No,. 

(c) p^ <wt n * {qi ^W) + (rj C^")) V pi when Nn,^ <: bj = No,. 
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Proof. Part (a) follows directly from Lemma HD^a). For parts (b) and (c) we first note 
that by monotonicity we have that, for all k and i, {qi V ri)^^^'^ <wt {qi V ri)^^^^^\ Now, 
for part (b), it follows immediately from Lemma H^b) that, for each n and i, we have 

Pi C''"^ =wt (\/^=o{Qi V ri) S,^^^^ ypi- Hence by the noted monotonicity of {qi^ ri)S^^'\ part (b) 
follows. For part (c), first fix i such that bj = No^ with d > di. It follows from an easy 
induction that for all n, pi ^("^ <wt (X]j=i Qi C^''^) + (Vj=i '''i C*'"'^) V pi; note the parallel to 
the argument for the prn-case of Proposition [TJ Hence by monotonicity of qi£,^''^ and ri^^'\ 
part (c) follows. □ 

Lemma US] 

By Lemma HSTa) and ()4.2p we have 

Lemma 46 (Termination). £„t[pol \p\ ^ the maximum depth of e's crec-recursion. 

For each i with bj <: Nn^^ , let p'- = pi. For a = No^^ , • • • , bmax in turn, we inductively 
define 6^ to be the substitution [xj : = p'- \ hj <: a] and also define, for each i with bj = a: 




/ def I [u 6a) y Pi, if fj is oracular; 

^ \ ,j /I \ , /I \/ p.^ if o" is computational. 

By Lemma for each i, we can effectively find a manifestly bj-safe p" with p'^ <„t p" ■ 

Lemma 47 (Final sizes). For each i, p" is a manifestly hi-safe polynomial size-hound on 
the i-th argument expression in the final step of the crec-recursion in e. 

Proof. For each i with bj <: Nn^^, the conclusion follows from Lemma HSTa). For the a = 
No^^ case, fix an i with bj = No^^ . Then the bound for this case follows from Lemmas HSj^c) 
and [Ml The Nn^^^^ through b^ax cases follow similarly. □ 

Lemma 1471 

By the induction hypothesis, there exists pB, a manifestly |bo|-safe polynomial size- 
bound for B (as in (jlO.ip ) with respect to T;f:j. By Lemma HH we can effectively find 
a manifestly bo-safe p such that ps [\f\ : = 0-^, '■ = p'l, ■ ■ ■ ,\xk\ '■ = p'j.] <wt P- The effect 
of the substitution on ps is to trivialize |/| and replace each \xi\ with the final size bound 
from Lemma HT) It follows that p is a manifestly bo-safe size bound for the value returned 
by final step of the crec-recursion. Since TailPos{f, A), p is also a size bound on the value 
returned by the entire (tail) recursion. Thus, pE = A|xi|, ... jx^j .p suffices for the crec 
case. □ 

Theorem 133] 



11. An abstract machine 

Our next major goal is to show that every ATR expression is computable within a 
second-order polynomial time-bound (Theorem 1 79 p. Before formalizing time bounds, we 
first need to make precise what is being bounded. Below we set out the abstract machine 
that provides the operational semantics of PCF, BCL, and ATR and, based on this, ^11.21 
introduces and justifies our notion of the time cost of an expression evaluation. 
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Figure 20: The CEK-rewrite rules 



11.1. The CEK machine. The operational semantics for PCF, BCL, and ATR are provided 
by the abstract machine whose rules are given in Figure [20j The machine is based on 
Felleisen and Friedman's CEK-machine [FF87] as presented by Felleisen and Flatt |FF06] . 
States in this machine are triples consisting of: (i) an expression to be reduced or else a 
value, (ii) an environment, and (iii) a continuation. CEK-environments, closures, and values 
are defined recursively by: 

CEK-Environments = Variables ^"^^ Closures. 

Closures = (Terms U Values) x CEK-Environments. 
Values = Strings U Oracles U A-Terms. 

An oracle is just an element of IJfc>o '^^(n'=)^n- Note that the result of applying an oracle 
value O G TC(|\|ft+i)_^|\| to a t> G N is the oracle value 0{v) £ TC(|\|fc)^|\j, where A: > 0. The 
continuations should be self-explanatory from the rules — and if not, see [FWHOl] . 

The CEK rules use the following variables (plain and decorated) with indicated ranges. 
i?:Basic-Operations (i.e., Cq, Ci, d, to, and ti); k: Continuations; e:Terms; 0:Oracles; /5:CEK- 
Environments; u: Values; and x: Variables. Also, 6i{B,v) returns the value of the given 
basic-operation on the given value and 62{v,v') returns down{v,v'). For each expression e 
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and CEK-environment p with FV{e) C preimage(/5), 



evalcEK(e,/o) 



def 



{■u, if (e,p, halt) ^* (f,/5', halt); 

undefined, if there is no such v and p' . 



For each ordinary environment p = {xi ^ ^ ffe }, let p* be the correspond- 

ing CEK-environment, i.e, {xi i— > (wi, {}),..., (^fc){})}) and let evalcEK(e, p) '= 

evalcEK(e,/0*). 

11.2. The CEK cost model. We assume that the underlying model of computation is 
along the lines of Kolmogorov and Uspenskii's [KU58] "pointer machines" or Schonhage's 
storage modification machines |Sch80j . A string is represented by a linked list of O's and 
I's. We take the cost of evaluating an expression e to be the sum of the cost of the steps 
involved in evaluating e on the CEK machine. We charge unit cost for for CEK-steps that 
do not involve operations on strings or else carry out operations that work on just the fronts 
of strings (e.g., Ca, d, and ta). For steps that involve copying or examining the entirety of 
arbitrary strings (rules (jej), and (|j])), our charge involves the sum of the lengths of the 
strings involved. Specifically: 

Oracle application. Applying this rule has cost IV |0(f)| when 0{v) is of base 
type and 1 otherwise. (When 0{v) is of base type, an application of the oracle pops into 
memory a string of length |0(f)|. We view the action of entering this string in memory, 
character-by-character, as observable.) 

(tgj 62 application. Applying this rule has cost 1 + |f | + (down looks at the entirety 
of its arguments.) 

(0) Environment application. Applying this rule has cost 1^ V \p{x)\ when p{x) is of a 
base type and 1 otherwise. (Since our CEK machine starts with an arbitrary environment, 
the environment is essentially another oracle.) 

Given this assignments of costs, we introduce: 



Definition 48. For each expression e and CEK-environment p, 

def 



{s, if evalcEK(e) p) is defined, where s is the sum of 

the costs of the steps in this CEK-computation; 
undefined, otherwise. 



and for each ordinary environment p, costcEK(e, p) '= costcEK(e, P*)- 

We note that the standard proof that storage modification machines and Turing ma- 
chines are polynomially-related models of computation |Sch80j straightforwardly extends to 
show that, at type-levels 1 and 2, our CEK model of computation and cost is (second-order) 
polynomially related to Kapron and Cook's oracle Turing machines under their answer- 
length cost model |KC96j . 



12. Time bounds 

As the next step towards showing polynomial time-boundedness for ATR, the present 
section sets up a formal framework for working with time bounds. We start by noting the 
obvious: Run time is not an extensional property of programs. That is, Vwt-equivalent 
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expressions can have quite distinct run time properties. Because of this we introduce T, a 
new semantics for ATR that provides upper bounds on the time complexity of expressions. 

The setting. Our framework for time complexities uses the following simple setting. 

CEK costs. Time costs are assigned to ATR-computations via the CEK cost model. 

Worst-case bounds. T|e] will provide a worst-case upper bound on the CEK cost of 
evaluating e, but not necessarily a tight upper bound. 

No free lunch. All evaluations have positive costs. This even applies to "immediately 
evaluating" expressions (e.g., A-expressions) , since checking whether something "immediate- 
evaluates" counts clS cl computation with costs. 

Inputs as oracles. We treat each type-level 1 input / as an oracle. In a time-complexity 
context this means that / is thought of answering any query in one time step, or equivalently, 
any computation involved in determining the reply to a query happens unobserved off-stage. 
Thus the cost of a query to / involves only (i) the time to write down a query v, and (ii) the 
time to read the reply f{v). The times (i) and (ii) are bounded by roughly \v\ and |/|(|^^|), 
respectively. Thus our time bounds will ultimately be expressed in terms of the lengths of 
the values of free and input variables. 

Currying and time complexity. In common usage, "the time complexity of e" can mean 
one of two things. When e is of base type, the phrase usually refers to the time required to 
compute the value of e. We might think of this as timx past — the time it took to arrive at 
e's value. When e is of an arrow type and thus describes a procedure, the phrase usually 
refers to the function that, given the sizes of arguments, returns the maximum time the 
procedure will take when run on arguments of the specified sizes. We might think of this as 
time in possible futures in which e's value is applied. An expression can have both a past 
and futures of interest. Consider (eo ei) where eo is of type ^ ^ and ei is of type 
N^. Then (eo ei) has a time complexity in the first sense as it took time to evaluate the 
expression, and, since (eo ei) is of type N^, it also has a time complexity in the second 

sense. Now consider just eo itself. It too can have a nontrivial time complexity in the first 
sense and the potential/futures part of eo's time complexity must account for the multiple 
senses of time complexity just attributed to (eoei). Type-level-2 expressions add further 
twists to the story. Our treatment of time complexity takes into account these extended 
senses. 

Costs and potentials. In the following the time complexity of an expression e always has 
two components: a cost and a potential. A cost is always a positive (tally) integer and is 
intended to be an upper bound on the time it takes to evaluate e. The form of a potential 
depends on the type of e. Suppose e is of a base (i.e., string) type. Then e's potential is 
intended to be an upper bound on the length of its value, an element of u>. The length of e's 
value describes the potential of e in the sense that when e's value is used, its length is the 
only facet of the value that plays a role in determining time complexities. Now suppose e 
is of type, say, Ng ^ N^. Then e's potential will be an /g G (i^ — > w x lo) that maps a p G a; 
(the length/potential of the value of an argument of e) to a {cr,Pr) lo x uj where c^. is the 
cost of applying the value of e to something of length p and pr is the length/potential of 
the result. Note that {cr,Pr) is a time complexity for something of base type. Generalizing 
from this, our motto will be: 
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The potential of a type-{a r) thing is a map from potentials of type-a 

things to time complexities of type-T thingsWl 
Our first task in making good on this motto is to situate time complexities in a suitable 
semantic modelQ 

A model for time complexities. The time types are the result of the following transla- 
tions (II • j| and (( • ))) of ATR types: 

||a|| T X {{a)). m) Je. {{a - r)) {{a)) - ||r|| . 

So, \\Ne^ ^ ^ NfJI = T X (T^^ ^ T x (T^, ^ T x T^J) and ||(Nf, ^ N^J ^ N^oll = 
T X ((T^j — > T X T^j) ^ T x T^p). The time types are thus a subset of the simple product 
types over {T, T^, T^, Tno, ■ ■ ■}■ The intent is that T is the type of costs, the T^'s help 
describe lengths, ||7|| is the type of complexity bounds of type-7 objects, and ((7)) is the 
type of potentials of type-7 objects. (Note: {{a — > t))'s definition parallels the motto.) 

Our proof of polynomial time-boundedness for ATR (Theorem I79p needs to intertwine 
the size estimates implicit in potentials and the size bounds of Theorem [JSl The semantics 
for the time types thus needs to be an extension of the >Cwt-semantics. To define this 
extension we use a combinator. Pot, defined in Definition [60] below. For the moment it 
is enough to know that, for each ATR- type a and p G £wt[((c))], Pot(p) G £wt[|c|] is a 
canonical projection of p to a type-|a"| size bound. Following the definition of Pot, LemmalGD 
notes that all of the notions introduced between here and there mesh properly. 

Definition 49 {C^t extended to the time types). Suppose a and r are ATR types. Then 

^wtllklll = LO X £wt[((cT))l and 'C„t|((o-))] is inductively defined by £wtI((N^))] = lj and 

'CwtI((o" t))] = the set of all monotone Kleene-Kreisel functionals /: £„t|[((c"))l ^wtlll''"||l 
such that: (i) Pot(/) G £wtlk ^ t]} and (ii) Pot(/(pi)) = Pot(/(p2)) whenever Pot(pi) = 
Pot(p2). 

Condition (i) above restricts >Cwt[((o' t))] so that the projection Pot acts as advertised. 
Condition (ii) restricts each / G £wt[((o' — > so that the size information in f{p) depends 
only on the size information in p. 

We can now define the T (time-complexity) and V (potential) interpretations of the 
ATR types. (The 7^-interpretation is a notational convenience.) 

Definition 50. Suppose a is an ATR-type. Then Tlaj =^ C^tl\W\\j and Pier] =^ C^tl{{a))j. 



The T-interpretation of constants and oracles. The following two definitions intro- 
duce a translation from the Vwt model into the T model. We use this translation to assign 
time complexities to program inputs: string constants and oracles. 

Definition 51. Let ||a|| =^ (1 V |a|, ((a))) and ((a)) =^ |a| for each a G V„t[N£]. 

^-'^In a more general setting (e.g., call-by-name), a, {a r) potential is a map from cr-time-complexities 
to r-time-complexities, as an operator may be applied to an unevaluated operand. 

^^N.B. The time-complexity cost/potential distinction appears in prior work [San90l FShuSSI IVSOS] . Re- 
mark [82] below discusses this prior work and how it relates to ours. 
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By Lemma [GTTa) below, ||a|| € T|N£]. We view ||a|| as the time complexity of the 
string/integer constant a. The interpretation of the cost component of ||a|| is that the cost 
of evaluating the constant a is the cost of writing down a character by character. (When 
a = e, we still charge 1.) 

Definition 52. Let (1, ((/))) and ((/)) ""^^ \p € max{ i {{v)) < p} for 

each / G V„t[fT r]. 

By Lemma [6]T a) below, ||/|| € T[(T r]. We view ||/|j as the time complexity of / as 
an oracle: the only time costs associated with applying / are those involved in setting up 
applications of / and reading off the results. Recall that under call-by-value, a A-expression 
immediately evaluates to itself. The function-symbol / will be treated analogously to a 
A-term. Hence, the cost component of ||/|| is 1. The definition of ((/)) parallels both our 
informal discussion of the notion of the potential of a type-level 1 function and the definition 
of the length of functions of type levels 1 and 2 in ^2.101 One can show that when / is 
a type-level 2, ((/)) is total. (The argument is similar to the proof of the totality of the 
type-level 2 notion of length defined by ()2.3p in ^2.101 ) 

Definition [51] and the type-level 1 part of Definition [52] describe the time complexities 
of possible ATR inputs. The following lemma unpacks the definition of ((/)) for / of type- 
level 1. The proof is a straightforward induction and hence omitted. 

Lemma 53. For f G Vwt[(N£i, . . . , N4) N^J, ((/)) = qi where qi = Xpi G uj. (hqi+i) 
(for 1 < i < k) and qk = Xpk G a;.(l V \ f\{pi, . . . ,Pk), |/|(pi, • • • ,Pk))- 



T- Applications. 
Definition 54. 

(a) Suppose to G T|(t r] and ti G T[cj], where to = (ccPo); ti = (ci,Pi), and 
{cr,Pr) = Po{pi)- Then to * '= (co + ci + Cr + 3, pr). 

-* def 

(b) Suppose to G ^I(o-i, • • • ,0-fc) ^ "^1, e T[cri], . . . , t^ G T|crfc]. Then to * t = 
tQ-k ti -k . . . -ktk- (The ★ operation left associates.) 

By Lemma [6TT b) below, to * ti G T[r] when to G T[(T — > r] and ti G Tier]. Suppose 
that to (respectively, ti) is the time complexity of atype-((T — > r) expression eo (respectively, 
type-o" expression ei). Then to*ti is intended to be the time complexity of (eo ei). The cost 
component of to*ti is: (the cost of evaluating eo) + (the cost of evaluating ei) + (the cost 
of applying eo's value to ei's value) + 3, where the 3 is the CEK-overhead of an application. 
The potential component is simply the potential of the result of the application. The next 
lemma works out of the effect of the ★ operation for type-level 1 oracles. 

Lemma 55. Suppose f G VwtKN^i, • • • , N4) ^ N^J, vi G Vwt[N^J, • • • , Vk G VwtlN^]. 
Then 

11/11* W = ((EtiavKI))+iv|/|(M) + 5AL^, i/KM)), (12.1) 

where \\v\\ abbreviates \\vi\\ ,\\vk\\ and \v\ abbreviates \vi\, ... ,\vk\- 

The proof is a straightforward calculation. Equation (jl2.ip can be interpreted as giving 
an upper bound on the time complexity of applying an oracle / to arguments vi, . . . ,Vk. 
Let us consider the cost component of the k = 1 and k = 2 cases of (jl2.ip in more detail. 
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1 = the cost of evaluating / 

1_ V = the cost of evaluating vi, i.e., the cost of writing down the value vi 

i V |/|(|wi|) — the cost of applying / to wi, i.e., the cost of writing down /(vi)'s value 

3 = the overhead of the application 

Figure 21: Break down of the cost component of ||/|| * ||ui|| 



For k = l, the right-hand side of (fT2l^ simplifies to: ((i V + 1 V |/|(|^;i|) + 4, |/|(|fi|)). 
Its cost component is broken down in Figure [2T1 For k = 2, the right-hand side of (jl2.ip 
simplifies to: {{lV\vi\) + {ly\v2\) + l\/\f\{\vi\,\v2\)+9, |/|(|vi|, |t;2|))- We leave it to 
the reader to break down its cost component. 

T-Environments. As a companion to T-application we shall define an analogue of cur- 
rying in T. First, we introduce T-environments. Recall that in a call- by- value language, 
variables name values [Plo75j . i.e., the end result of a (terminating) evaluation. Thus, a 
value does not need to be evaluated again, at least no more than an input value does. Hence, 
if a T-environment maps a variable to a type-7 time complexity {c,p), then c should be: 
iVp, when 7 is a base type, and 1, when 7 is an arrow type. 

Definition 56. Suppose a and r vary over ATR types and F; A is an ATR is type context. 

(a) ||F; All = {x^ \\a\\ ! (F; A)(2;) =a}. 

(b) For p e VlMel val(p) = {lVp,p). 

(c) For p£Vla^ r|, val(p) = {l,p). 

(d) T.aiH = {val(p) IpeVlaj}. 

(e) T[r; A] is the set of all finite maps of the form {xi 1— > ti,. . . ,Xk ^ tfc }, where 
{xi,...,Xk} = preimage(F; A), and, for i = 1, . . . , fc, U € 7;ai[(F; A)(xi))]. 

(f) For each p G Vwtp; A], define \\p\\ e Tp; A] by ||p|| (x) = ||p(x)||. Such as ||p|| is 
called an oracle environment. 

Convention: We use ^ as a variable over T-environments. N.B. Not every g of interest 
is an oracle environment. 

T-currying. Here then is our time-complexity analogue to currying. Recall that T|F; A h 
e: r] will be (when we get around to defining it) a function from TfT; A] to Tlr]. 

Definition 57. Suppose (i) F; A is a ATR type context with (F; A)(xi) = cij, for i = 1, . . . ,k; 
(ii) F'; A' is the result of removing xi: g\ from F; A; and (iii) X is a function from T[F; A] 
to Tlr]. Then A^(xi,X) is the function from T|F'; A'] to T\(y\ — > r] given by: 

K{xx,X)d = (1, ApGP[(Til.(X(£*'u{xi^val(p)}))), (12.2) 

where d G '^'P'; A']. Also, A^(xi, X2, . . . , x^, X) =^ A^(xi, A^(x2, . . . , x^, X)) when k> \. 

Note the complementary roles of A^ and ★: A^ shifts the past (the cost) into the future 
(the potential) and * shifts part of the future (the potential) into the past (the cost). This 
being complexity theory, there are carrying charges on all this shifting. This is illustrated 
in the next lemma that shows how A^ and ★ interact. First, we introduce: 
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Definition 58. daUy{d, {c,p)) = (c + d,p) for d £ lu and (c,p), a time complexity. 

Lemma 59 (Almost the r/-law). Suppose T, A, X, x, a, and r are as in Definition \51\ 
Let r'; A' he the result of removing xi: cJi, . . . , Xk'- from F; A. Let g G T|r; A] and let g' 
be the restriction of g to preimage(r'; A'). Then 

{Ai,{xi,...,Xk,X) g')-k g{xi)* g{xk) = dallyj B ■ k + A + y^LiQ, X g), (12.3) 

where {ci,pi) = g{xi), {ck,Pk) = Qixk)- 

The lemma's proof is another straightforward calculation. 



Projections. The next definition introduces a way of recovering more conventional bounds 
from time complexities. Note, by Definitions [51] and [52l and Lemmas [53] and [55l when v is 
a string constant or a type-1 oracle, the value of is a function of the value of \v\. So, 
by an abuse of notation, we treat as a function of \v\ for such v. 

Definition 60. Suppose a and (cii, . . . , ak) are ATR types. 

(a) For each t € ^[0-], let cost{t) =^ vri(t) and pot{t) =^ vr2(t). (So, t = {cost{t),pot{t)).) 

(b) For each t G T[[N^], let Cost(t) = cost{t) and Pot(t) = pot{t) and, for each t G 
r|(ai,...,afc) ^ N^l, let: 

Cost(t) =^ A|v|. cosi(t* Hull). Pot(t) =^ A|f I .poi(t ★ ||f II). 

where \v\ abbreviates |fi| G £wt|ci], . . . , |ffc| G /3wt[<7fcl and ||t)|| abbreviates ||t>i|| , . . . , \\vk\\- 
(So, t-k \\v\\ = (Cost(t)(|f;|), Pot(t)(|t!|)).J We call Cost(t) and Pot(t), respectively, the base 
cost and base potential of t. 

(c) For each p G P[ct], let Pot(p) =^ Pot( (l,p) ). 

Suppose t is the time complexity of e of type {a) — > N^. Then both Cost(t) and Pot(t) 

are functions of the sizes of possible arguments of e. The intent is that Cost(t)(|?;|) is an 
upper bound on the time cost of first evaluating e and then applying its value to arguments 
of the specified sizes and that Pot(i) is an upper bound on the length of e's value. 

With Pot's definition in hand, we make good on the promise to check that the notions 
defined between Definitions [49] and [60] make sense. 

Lemma 61. Suppose a and a ^ t are ATR types. 

(a) For each v G VwtM, \\v\\ G Tier] and Pot(f) = \v\. 

(b) For each to G Tfa r] and ti G T|cj], to-ktiG r[r]. 

(c) is well-defined in the sense that the left-hand side of \12.2() is in T\ai — r] as 
asserted in Definition\61\ 

All three parts follow straightforwardly from the definitions. 



Time-complexity polynomials. To complete the basic time-complexity framework, we 
define an extension of the second-order polynomials for the simple product types over T, 
Te, To, . . . under the ^-semantics. The restriction of these to the time types under the 
>Cwt-semantics are the time- complexity polynomials. First we extend the grammar for raw 
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TMq - ll^ll n(caeo)k (co + 2,po + l). 

ri(ta eo)] =' (CO + 2, 1). ri(d eo)] (co + 2, (po - 1) V 0). 

"^M e =^ T|(down eo ei)] £1 =^ (cq + ci + po + Pi + 3, inin(po,Pi))- 

r[(Ax.eo)]e =' A4x,T|eo])^?. T|(eo ei)] g ''^^^ (TM * (r|eil g). 

T|(if eo then ei else 62)] e =^ (co + 2,0) + (ci,pi) V (02,^2)- 
Above: fc is a string constant, g G T|r; A], and {ci,pi) = T|r; A h e^: 7^] g ior i = 0, 1, 2. 

Figure 22: The T-interpretation of ATR~. 

expressions to include: P ::= {P, P) \ T^iiP) \ vr2(P). Then we add the following new 
typing rules for second-order polynomials: 

SI-p:c7iX(T2 T,i\-pi:ai E2\-p2-cr2 T<i'rpi:a Y.2\~P2-cr 

S h 7rj(p):cjj Si U I" (pi,P2): o"! x 0-2 l^i U T.2 \- Pi Q P2- cr 

where a, ai, and ct2 simple product types over T, Tg, T^, . . . and stands for any of *, 
+, or V. Next we extend the arithmetic operations to all types by recursively defining, for 
each 7 and each u,v G -^[7]: 

the standard thing, if 7 = T; 

(7ri(n) 7ri(t;),7r2(ti) 7r2(f)), if 7 = cr x r; (12-4) 
^Xz € J0la}.{u{z) Qv{z)), if 7 = fj ^ r. 

Finally, the /^-interpretation of the polynomials is just the standard definition. 

Remark 62. Note that qi of Lemma [53] and the right-hand sides of (|12.ip and (jl2.3p are 
well-typed, time-complexity polynomials. Also note that by Definition [SD^ a), if (71 and q2 are 
time-complexity polynomials with ||r; A|| h qi: \\a r|| and HP; A|| h q2- then qi -k q2 
is a time-complexity polynomial with ||r; A|| h qi -k q2- \\t\\- 



^ def 

uQ V = 



13. The time-complexity interpretation of ATR 

Here we establish a polynomial time-boundedness result for ATR^, the subsystem of 
ATR obtained by dropping the crec construct. Definition 1631 introduces the T-interpretation 
of ATR~ and the proof of Theorem 1671 shows that ATR~-expressions have time complexities 
that are polynomial bounded and well-behaved in other ways. All of this turns out to 
be pleasantly straightforward. The hard work comes in the following two sections: 5131 
establishes a key time-complexity decomposition property concerning the affine types and 
i |T5] uses this decomposition to define the T-interpretation of crec expressions and to prove 
a polynomial boundedness theorem for ATR time complexities. 

Convention: Through out this section suppose that 7, a, and r are ATR types and F; A 
is an ATR type context. 

Definition 63. Figure [22] provides the T-interpretation for each ATR~ construct. 
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We note that our T- interpretation of ATR^ is well-defined in the sense that Tp; A h 
e: 7] G '^'[tI for each ATR~ judgment F; A h 6:7 and q £ Tp; A]. (This follows from 
Lemma [61] and some straightforward calculations.) Here is a simple application of Defini- 
tionES Let g = (Ay. (Co (cq y))): N, ^ and A = (A/. (Ax. (/ x)) ): (N, ^ N^) ^ N, ^ 
No. We write T|e] for T[e]{} to cut some clutter. The reader may check that: 

-^fel = ih XpyeVlNe}.{lVPy+A,Py+2))■ 
Tm = (1, Ap/GP[N, ^N,].(l,Ap, GP[N,].val(p/)*val(p,))). 
n(Ag)l = (T[Al)*(TIgl) = daUy{7,Tlgj). 

There are three key things to establish about the time complexities assigned by T, that 
they are: not too big, not too small, and well-behaved. "Not too big" means that the time 
complexities are polynomially-bounded in the sense of Definition 1641 below. "Not too small" 
means that costcEK(e,p) < cost(T|e] \\p\\) and |Vwt[elp| < Pot('^Ie| This "not too 

small" property (soundness) is introduced in Definition [65j Finally, "well-behaved" means 
that the T-assigned time complexities are monotone (Definition [66]) which requires that 
g < Tie} g' when g < g' (see Definition [66lf a)) and that when T[e] ^ is a function, 
it is pointwise, monotone nondecreasing. Monotonicity plays an important role in dealing 
with crec. Theorem [67] establishes that the T-interpretation of ATR~ satisfies each of these 
properties. Let range over programming formalisms (e.g., ATR^ or ATR) in the following. 

Definition 64 (Polynomial time-boundedness). A T-interpretation of .7-" is polynomial time- 
bounded when, given T; A hj^ e: 7, we can effectively find a time-complexity polynomial pe 
with |r; A| h Pe'. II7II such that T[e] ||p|| < -C„tbel \p\ for each p G Vwtp; A]. 

Definition 65 (Soundness). A T-interpretation of is sound when, for each r;A hjF 
6:7 and each p G Vwt[r;A], we have costcEK(e,p) < cosi(T[e] ||p||) and |VwtIe|p| < 
Pot(T[el IIpII). 

Definition 66 (Monotonicity). 

(a) For g, g' G T|F; A], we write g < g' when g{x) < g'{x) for each x G preimage(F; A). 

(b) We say that a T-interpretation of J- is monotone when, for each F; A hjr e: 7: (i) 
T|e] is a pointwise, monotone nondecreasing function from T|F; A] to TI7], and (ii) if 
7 = (ctq, . . . , CTfc) b, then the function from T|F; A] x T[(Jo] x • • • x T|crfc] to T|b] given 
by {g,vo, ■ ■ ■ , V)f) ^ (('?'|e] g)vo ... Vk) is pointwise, monotone nondecreasing. 

Theorem 67. The T-interpretation 0/ ATR~ is (a) polynomial time-hounded, (b) mono- 
tone, and (c) sound. 

The proofs of parts (a) and (b) are straightforward standard structural inductions, but 
the argument for (c) is a logical-relations arguments [Win93] . Before proving the above we 
first introduce a few useful time-complexity polynomials. 

Definition 68. N.B. The following definitions are purely syntactic. Suppose G N. Let 
\\v\\ "= (1 V l^j, \v\). For each b, let '= (1 V |3;|). For each 7 = (bi, . . . , b^) 

bo, let \\x\\^ =^ ihQi) where qi = Xpi. (1, gj+i)), for each i with 1 < i < k, and = 
^Pk- (i V \x\{pi, . . . ,pk), \x\{pi, . . . ,pk)). (Recah Lemma [53]) 

Note that if F; A h x:7 where x is a variable, then jF; A| h ||x|| : ||7||. 

Proof of Theorem IdT^a): Polynomial time-boundedness. Fix an ATR~-judgment F; A h e: 7. 
Let p range over VwtP; A]. We have to effectively construct a t.c. polynomial qe as required 
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by Definition [Ml The argument is yet another a structural induction on the derivation of 
T; A h e: 7. We consider the cases of the last rule used in the derivation. 

Cases: Zero-I and Const-I. Then e = t; G N and 7 is a base type. Let qe = \\v\\. By 
Definition [63l T[v\ \\p\\ = (1 V \v\, \v\) = C^[qe\ \p\ and thus qe suffices. 

Cases: Int-Id-I and Aff-Id-I. Then e = x, a variable. Then by Definition l63l ||p|| = 
IIpII (x) = Let qe = \\x\\^. Subcase: 7 is a base type. By Definition [68lfb). 

(7e = (i V |j;|,|x|). So by Definition [511 = /^wtl'Zel and thus qe suffices. Sub- 

case: 7 = (bi, . . . , bfc) — > bo- By Definition [68lfc). qe = (1, qi), where qi, . . . ,qk are as in 
that definition. By Lemma [53l = /^wtl'Zel |p| and thus qe suffices. 

Case: c^-I, where a € { 0, 1 }. Then e = (ca eo) for some cq and 7 = N^^ for some d. 
Let (co,po) = ^I^ol \\p\\- By Definition [63l T[e] ||p|| = (cq + 2,po By the induction 

hypothesis, we can construct Qeo with [F; A| h qe^: N^^ such that T|eo] \\p\\ < ^wtl'Zeol \p\- 
Thus, qe = qeo + (2, 1) suffices. 

Cases: to-/, ti-/, down-/, d-I, ^-e, and //-/. These follow by arguments analogous to 
the proof for the Cg-/ case. 

Cases: Subsumption and Shifting. There is nothing to prove here. 

Case: -^-E. Then e = (eo ei) for some eo and ei with r;A h eo:T — > 7 and r;_ h 
ei:r. By the induction hypothesis, we can construct qo and qi, bounding time-complexity 
polynomials for T|eo] and TJei], respectively. Let qe = qo*qi- By Remark [62l qe is a time- 
complexity polynomial and it follows from the monotonicity of * that 7"[(eo ei)] \\p\\ = 
(T[eol llp|l)*(^[eil IIpII) < {qo \\p\\)*iqi \\p\\) = Qe M- Thus, qe suffices. 

Case: — >-/. Then 7 = o" — > r and e = (Ax.eo) for some eo with r,x:a;A h eo:T. 
By Definitions [571 and [631 we thus have Tie] = A^(x,T[eol). By the induction hypothesis, 
we can construct qeo with |r,j;:(7;A[ h (/eoHkll with T[eoI IIp'II — ^wt[fe)] Ip'I for each 
p' G Vwt[r, 2;: fj; A]. Subcase: o" is a base type. So, {{a)) = T x a. Let qe = {1, X\x\.qeo)- A 
straightforward argument shows that qe suffices for the polynomial bound. Subcase: a = 

(cji, . . . ,ak) —>■ h. Let p' be the expression X\y\.7^2{{l,p) * ||y|| ) 1 where \y\ = \yi\, . . . ,\yk\ 

and ||y|| = (iV |yi|, . . . , (IV l^fcl). (See Definition [60lfb).) Let p" be the expansion 
of p' in which p is treated as being of type {{a)) and the T-applications are expanded out 
per Definition [531 It follows that p" is a time complexity polynomial with |r|,p: ((cr)); |A| h 
p": \a\. Let qe = (i, Ap.geoll^^l • = p"])- Again, a straightforward argument shows that qe 
suffices for the polynomial bound. □ 

Theorem ISTTa) 

Proof of Theorem\67^b) : Monotonicity. This argument follows along the lines of the proof 
of part (a) and is left to the reader. □ 

Theorem [GTTb) 

For the proof of soundness, we shall first define a logical relation Cjj,'^ between CEK- 
closures and time-complexities. Roughly, ep {c,p) says that the time complexity (c, p) 
bounds the cost of evaluating the closure ep. Conventions on CEK-closures: CEK-closures 
are written ep. (We always assume FV{e) C preimage(p).) A CEK-closure ep is called 
a value when e is a CEK-value. ep [ vp' means that starting from (e, p, halt), the CEK- 
machine eventually ends up with (f , /5', halt), where vp' is a value. Below, v ranges over 
CEK-values and p and q range over potentials. 

Definition 69. 
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(a) For each ATR-type 7 we define a relation Cjjf between type-7 CEK-closures and 

time complexities and a second relation between type-7 CEK-closures and potentials 
as follows. 

• ep {c,p) =dcf costcEK(e,/o) <ckvp' cP°* p, where ep [ vp'. 

• vp p =Aei \vp\ < p. 

• [\x.e)p C^^T- p =(jgf for all vp' and all q with vp' C^"* g, e{f>[x ^ vp']) C^'^ ^(9)- 

• Op C^^T P =def for all vp' and all q with ?;/o' 0{vp'){} C**^ pCq)- 

(b) Suppose Q € Tp; A]. We write p Q g when, for each x G preimage(/)), x/5 Clj,'^ e{x), 
where 7 = (F; A){x). 

(c) Suppose F;A h e:j and X:T[F;A1 ^ TI7]. We write e □^'^ X when, for all 
CEK-environments p and g G Tp; A] with p Q g, ep Cljf X^. 

Lemma 70. 

(a) Suppose x is a variable and vp Q^"^ q. Then x{p' U {x vp}) val(g). 

(b) Suppose F; A h e: 7. Then e C*'^ T'lej. 

(c) Suppose ep is a type-'j CEK-closure and t and t' are type-j time complexities with 
ep C*'^ t andt<t'. Then ep C*'^ t' . 

Proof. Part (a). Since vp q = pot{va\{q)), we just need to show that costcEK(2;(/5' U 
{x 1-^ vp})) < cost(\/a\{q)). If 7 is a base type, then \v\ < q, hence costcEK(a^(/5' U {x 1— > 
vp})) = ly \v\ < ly q = cost{ya\{q)). 

Part (b). The argument is a structural induction on the derivation of F; A h e: 7. We 
consider the cases of the last rule used in the derivation. Fix a CEK-environment p and a 
g G T|F; A] with p □ £». 

Case: Zero-I and Const-I. Then e = a string constant. So, T[e] = (i V \v\, |z;|), 
costcEK(e, />) = 1 < 1 V |?;|, and |e£»| = \v\. Hence, e is as required. 

Case: Int-Id-I and Aff-Id-I. Then e = x, a variable. Since p Q g, we have xp Q}:^ 
g{x) = T|x] g. Hence, e is as required. 

Case: Ca-I, where a G {0,1}. Then e = (Ca cq) where F;A h 60:7 and 7 is a base 
type. Let (co,po) = '^[eol g and suppose eop [ vp'. By the induction hypothesis applied 
to eo, we know costcEK(eo5 p) < cq and < pQ. By inspection of the CEK machine 
and the definition of costcEK, costcEK(Ca eo,p) = costcEK(eO) p) + 2 < cq -|- 2. It also 
follows that (ca eo)p i (a © v)p' and |(a © v)p'\ = \vp'\ + 1 < Po + i- By Definition [631 
'^W IIpII = (co + 2,po + !)• Hence, e is as required. 

Cases: to-/, ti-/, down-/, d-/, ^-i?, and //-/. These follow by arguments analogous to 
the proof for the c^-I case. 

Cases: Subsumption and Shifting. There is nothing to prove here. 

Case: ^-/. Then 7 = o" — > r and e = (Ax.eo) for some cq with F, x: a; A\- cq: t. So, by 
Definition [551 cos^(T[Ax.eo| = i and Ax.cq g is itself a value. Since costcEK(Ax.eo, p) = 
1, all that is left to show is that {Xx.eo)p Ca^r poi(T[Ax.eo] g). Let p = poi(T|A2;.eo] g) = 
pot{Ai,{x, TJeol) g) = Xp' G Vlaj . (T|eo| {g'u{x ^ val(p') })), let vp be an arbitrary type-cr 
value and let q be an arbitrary potential with vp Q- Then establishing (Ax.eo)/0 Qa^r 
TfAx.eo] g is equivalent to showing eo{p[x 1-^ up']) C*'^ By part (a), x{pU{x i—fvp} Cj;'^ 
val((7). Hence, pU {x 1-^ vp} ^ gU {x 1-^ va\{q)}. Thus, by the induction hypothesis on eo, 
eo{p[x ^ vp']) C*'^ '?"[eol(f?' U { x 1-^ val(g) }) = p{q). Hence, e is as required. 

Case: ^-E. Then e = (eo ei) for some eo and ei with F; A h eo: o" ^ 7 and F;_ h ei: a. 
Suppose eop j uqPo, eip i vipi, (eo ei)p J, VrPr, (ccPo) = '^'[eok, (ci,Pi) = '?'Ieil£>, and 



44 



N. DANNER AND J. S. ROYER 



{cr,Pr) = Po(pi)- By the induction hypothesis on eo and ei: 

(a) costcEK(eo,p) < cq. (b) vqPq po- (13.1) 

(a) costcEK(ei,/5) < ci. (b) vipi pi. (13.2) 

There are two subcases to consider based on the form of vq. Subcase: vq = Xx.c'q for 
some r,a;:fT;A h 60:7. Then (jl3.1b ) means that, for all type-r values vp" and all q with 
vp" q, we have ej, (p' U {x ^ vp" }) po{q). So by ([mb), e[)P^ (c^,Pr), where 
Po = /5' U { a; I— > f ipi }. Now 

costcEK((eo ei),p) = costcEK(eo, p) + costcEK(ei, p) + costcEK(eo, Po) + 3 

(by Figure [20] & Definition HHD 
< CO + ci + c, + 3 (by (HMji), Ca), & e(,p[) (c„p,)) 
= cosi(T|(eo ei)] £)) (bv Definition [63]) . 

Note that egPg J, VrPr- So by CgPo icr,Pr), VrPr £7°* = pot{Tl{eo ei)} q). Hence, 
in this subcase e is as required. Subcase: vq is an oracle. The argument here is a repeat, 
mutatis mutandis, of the proof of previous subcase. 

Part (c). The argument follows along the lines of the proof of (b). □ 

Lemma 1701 

Proof of Theorem\67^c) : Soundness. This follows straightforwardly from Lemma [TOlfb) and 
Definition [60] □ 

Scholium 71. The T-interpretation of ATR^ (and later, ATR) sits in-between the ac- 
tual costs of evaluating expressions on our CEK machine and the sought-after polynomial 
time-bounds on these costs. Why is working with T -interpretations preferable to working 
directly with executions of CEK machines and their costs? Part of the reason is that T- 
interpretations have built-in to them the cost-potential aspects expressions. One would 
somehow have to replicate these in working directly with CEK-computations. Another 
part of the reason is that T-interpretations collapse the many possible paths of a CEK- 
computation into a single time-complexity. The T-interpretation of if-then-else is chiefly 
responsible for these collapses. Scholium [80] notes that these collapses are a source of some 
trouble in dealing with crec-expressions. 



14. An affine decomposition of time complexities 

When analyzing the time complexity of a program, one often needs to decompose its 
time complexity into pieces that may have little to do with the program's apparent syntactic 
structure. Theorem [Tl] below is a general time-complexity decomposition result for ATR 
expressions. The ATR typing rules for affinely restricted variables are critical in ensuring 
this time-complexity decomposition. The decomposition is used in the next section to 
obtain the recurrences for the analysis of the time complexity of crec expressions. Note 
that the theorem presupposes that that T[ • ] is defined on crec expressions. However, since 
no affinely restricted variable can occur free in a well-typed crec expression and since the 
application of the theorem will be within a structural induction, this presupposition does 
not add any difficulties. 
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Remark 72. In fact, the time-complexity of a crec expression e will be defined in terms of 
time-complexities of expressions built up from subexpressions of e using term constructors 
other than crec. Thus a completely standard structural induction for establishing soundness 
does not quite work. A fully formal proof would have first established results such as "if 
Co Ect-^t ^0 and ei Cj^'^ Xi, then (cq ei) C*"^ Xq -k Xi^ where the Xj's are general mappings 
from T-environments to time complexities. These lemmas would then be used to carry out 
the induction steps of a structural induction which, in all but the crec case, would just 
quote the relevant lemma. Rather than impose this additional level of detail on the reader, 
we have opted for a less formal approach here and will assume that if we inductively have 
soundness for a subterm e, then we also have it for terms built up from e without crec. 

To help in the statement and proof of the Affine Decomposition Theorem, we introduce 
the following definitions and conventions. 

Definition 73. 

(a) (ci,pi) l±) (c2,P2) = {ci + C2,pi y P2), where (ci,pi), (02, P2) G Ttfj- (Clearly, 
{ci,pi)\S{c2,Ph2) eTtj.) 

(b) For each ATR-type 7, define e-y inductively by: en^ = e and ea^r = Xx.e-r- (Clearly, 
h 6-^:7 and iVwtMill =0|7|J 

(c) Given /: (cji, . . . ,ak) — > N^, an expression of the form (/ ei ... e^) is called a full 
application of /. 

Conventions on factoring out environments: Suppose is a binary operation on time 
complexities. We often write T[eol ©^[^il for q i— > (T|eo| g) (^[ei]) g). For example: 
(r[eol W ^leil) g = (Tleol g) W (r[eil) 6) and (r[eol * ^leil) Q = (T[eol q) * C^Ieil) g)- 
We extend this convention to n-ary operations. For example: val(T[e]) g = val(T[[e] g) and 
(T[eo] -k . . .* T[efc]) g = (T|eo] g) * . . (T[efc]) g). We also generalize this last equality as 
follows. Suppose X is a map from TJF; A] to T|(cri, . . . , cjfc) N^] and, for i = 1, . . . , /c, 
is a map from TJF; A] to TJcTj]. Then X -kY denotes the map Tp; A] to TJN^] given 
by: {X^Y)g={Xg)*{Yig)*...*{Ykg). 

Theorem 74 (Affine decomposition). Suppose T;f:'y h e:Nif^, where 7 = (N^^ , . . . , N^^) 
N^y € TZ and TailPos{f, e) . Let ( denote the substitution [f : = e-y] . Then 

Tlej < T[eCl « inH^t), (14.1) 

where {f e\ ... e^), ...,(/ ... e™) are the full applications of f occurring in e and 
t, = yT=i^a\{T^})forj = l,...,k. 

By Lemma [11] we know that there is at most one use of an affinely restricted variable 
in an expression. In terms of costs, one can thus interpret (jl4.ip as saying that the cost of 
evaluating e can be bounded by the sum of: (i) the cost of evaluating eC, which includes 
the all of the costs of e except for the possible application of the value of / to the values 
of its arguments, and (ii) cost{{T'lfJ -kt ) g), which clearly bounds the cost of any such / 
application. In terms of potentials, one can interpret ()14.ip as saying that the size of the 
value of e is bounded by the maximum of (i) the size of the value of e^, which covers all 
the cases where / is not applied, and (ii) pot{(TlfJ -kt ) g), which covers all the cases where 
/ is applied. 

If (114.11) solely concerned CEK costs, the above remarks would almost constitute a proof. 
However, (114. ip is about T-interpretations of expressions and Tie} is an approximation to 
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< {cost{TlA4 g) + 2, 0) W Vli (^I^. CI ^' W (^I/l * 

< {cost{TlAojg) + 2,0) W (vLin^.Ck) W 

< [{cost{TlAoC]g) + 2,Q) w VLlmCl^^) w (r[/l*f)e 
= ri^ck w (ri/i*r)e. 

Figure 23: The decomposition for if-then-else expressions 



the true time complexities involved in evaluating e. The theorem asserts that our T- 
interpretation of ATR is verisimilar enough to capture this property of time complexities. 
This later requires a little work. 

Proof of Theorem\74\ Fix g € TfT; f: 7]. Without loss of generality, we assume there are no 
bound occurrences of / in e. We argue by structural induction that for each A, a subterm 
of e with F; /: 7 h A: N^^ , we have 

TlAje < TlAQg ^ {nfj*t)Q, (14.2) 

where the i 's are as in the lemma's statement. It follows from TailPos{f,e) that the 
following three cases are the only ones to consider. 

Case 1: f fails to occur in A. Then (114. 2p follows immediately. 

Case 2: A = {f ei ... e^), where F;_ h ei: N^^, . . . ,F;_ h e^: N^^,. By the monotonicity 
of and the T-interpretation of application from Figure [22l it follows that ()14.2p holds 
for A. 

Case 3: A = (if Aq then Ai else A2) where / occurs in Ai or A2 or both. By 

Definitions [63] and (He), TfAj g = (cost(r|Aol e) + 2, 0) tt) VLi'^I^^l 6- Note: ^0 = ^0 C 
since / cannot appear in Aq. By the induction hypothesis applied to Ai and A2, TfAij g < 
TfAi Cjg ^ (TJ/I * t) gfor i = 1, 2. Thus we have the chain of bounds of Figure [23 □ 

Scholium 75. As demonstrated in [DR07j . handling forms of recursion beyond tail recur- 
sion requires notions of decomposition more sophisticated than ()14.ip . Moreover, if explicit 
— o-types were added to ATR, then the decomposition also becomes more involved than 

(fmi) . 

For the analysis of crec expressions we need the following corollary to Theorem 1741 We 
leave its proof to the reader who should be mindful of Remark 1721 above. 

Corollary 76. Suppose T;f:-/ h A:-/, where 7 = (N^^,...,N4) N^^ £ n, A = 
Xui, . . . ,Uk.B , TailPos{f, A), T{xi) = N^-^, . . . ,T{xi^) = N^^., and C, is as before. Then 
Tl{A x)j < Tl{A x) CI W (TI/] ★ t), where (/ e{ ... el), ...,{f ef ... e^) are the full 
applications of f occurring in B and tj = (Vi^i val(T[[e*|))['U : = x] for j = 1, . . . , k. 
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15. The time-complexity interpretation of ATR 

We are now in a position to consider the time complexity properties of crec expres- 
sions. Remark [77] below motivates the T-interpretation of crec expressions given in Defi- 
nition [78l The remark's analysis will be reused in establishing soundness and polynomial 
time-boundedness for ATR. 

Remark 77. Suppose F; /: 7 h A: 7, where 7 = (b) ^ bo € 7^ and TailPos{f, A). For each 
a G N, let Ca = (crec a [Xrf.A]). Thus, F;_ h Ca-'y- Our goal is to express T[ea| in terms 
of T[eo©al so as to later extract recurrences, the solutions of which will provide a closed 
form polynomial time-bound for Ca- So suppose in the following that T[eo©al has a settled 
value and that T-soundness holds for all proper subterms of and their expansions below. 
In a CEK evaluation of Ca, in one step Ca is rewritten to Xx.Ba, where 

Ba = (if |a| < l^i I then Ca else e) and Ca = (A : = eoej- 

Let F = F, x: b. So, F; /: 7 h Ba- bo and T; f:j h Ca- bg. Fix a CEK-environment p and a 
g S TJF; /: 7] with p Q g. From Figure [20] and Definition [l8] it follows that 

, , , , fcostcEK(Ca,^), if |a| < |p(3;i)|; 

COStcEK(Sa,/9) < 2 • |/)(xi) | + 2 • |a| + 5 + <^ (15.1) 



otherwise. 



By our T-soundness assumptions, 

Ca nCal (15.2) 

Let C be the substitution [/ := e^]. By Corollary [76] applied to {A x): T[(yl x)] < 
Tl{A x) Cl W {Tlfj ★ t), where ti, . . . , tfc are as in Theorem [71] Let ^ be the substitution 
[/ '■= Co ©a]- Since / has no occurrence in t, we have that T|(^ ^)?1 ^ '^[(^ ^)CCl 
(T|/ ^] * t ) which can be restated as: 

nCaj < T[(^x)Cl W (T[eoeal*t*). (15.3) 

Since p Q g, |/5(xi)| < pot{Tlxijg). So, by Lemma [TOj^c), UfTbTlh . (ITOI) . and (ITOIl . 
El,'^, X,^?, where Tp; /: 7I ^ r[bo] is given by 

(daUy{c,Tl{Ax)C}g') W (Tleo® J * ifla|<pi; 

i ( c + 1 , 0), otherwise; 

where pi = poi(T[xi] ^j'), c = 2 • pi + 2 • |a| + 5, and t is as before. 

By the analysis for the ^-I case in Theorem [671s proof, (Xx.Ba) ^*{x,Xa). As 



Xa g 



costcEK('^2?--Ba,_) = 1, we havc that Ca Ya, where Ya '= daUy{l, Ai,{x , Xa)) 



Definition 78 (The T-interpretation of ATR). T[F;_ H (crec a (Xrf .A)): -fj =^ Ya, where 
Ya is as above. Figure [22] provides the the T-interpretations for the other ATR constructs. 

The well-definedness of T|F;_ h (crec a (Xrf .A)): 7] is part of: 

Theorem 79. The T-interpretation o/ATR is (a) polynomial time-bounded, (h) monotone, 
and (c) sound, as well as (d) well-defined. 
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Proof sketch. All the parts are shown simultaneously by a structural induction on the 
derivation of F; A h e: 7. Along with parts (a)-(d) we also show: 

Claim: For all g G TIT; A], Pot(T|e] g) < Tlpej g, where pe is the polynomial size- 
bound for e from Theorem US] and pe is the result of replacing each occurrence of each 
variable \x\ in pe with Pot{x). (E.g., if p = A|2:|.(2 * |5|(|-z|) then pe = A|2;|.(2 * 

Pot(5)(Pot(|z|)) + l).) 

Intuitively, pe is the version of that is over base potentials (Definition [60lfbl) instead 
of lengths and the Claim says that the upper bound on size that is implicit in our T- 
interpretation, is at least as good as the size bounds of Theorem 1431 Through the Claim we 
are able to make use, in a time-complexity context, of the polynomial bound on the depth 
of crec-recursions from the proof of Theorem H3l 

Here, then, is the induction. 

For each case, except the crec one, parts (a), (b), and (c) are as in the proof of The- 
orem [671 part (d) is evident, and the Claim follows from an inspection of the bounds 
assigned in the proof of Theorem [33] and Definition [63l We thus consider the case of 
e = (crec a{Xrf.A)) where F; /: 7 h A: 7, 7 = {ai, . . . , ak) — bo € 7?., and TailPos{f, A). 
Without loss of generality, we assume a is a tally string n. So, © o = n + 1 . 

We first import the notation from Remark 1771 So, e = Cn, where is as in Remark [771 

with a = n. Also let T|x] denote TJxi],... ,T[xfc], g G T|F;_], and let m range over 

{ n, n + 1, . . . }. Then, by Remark [771 Definition [78l and Lemma [59] we have: (T|em] * 
> > > 

'^H)^' = {YmQ)*Q{x) = {daUy{l,A^{x,Xrn))g)-kg{x) = Tfroj g l+l X^Q, where ro = 

( 5k + 4 + cost{g{xi)) H h cost{g{xk)),0). Let = ro tt) (2 ■ pot{g{xi)) + 2 • m + 6,0) 

and r2,m = ^o tt) (2 • pot{g{xi)) + 2 • m + 5, 0). Then, by the definition of Xn in Remark [771 

'^[n.ml Q, if pot{g{xi)) < n; 

nr2,mjg W niAmQ « {nern+ij*t)g, (15-4) 

otherwise. 



inernj*nxj)g 



Now let us import some notation from the proof of Theorem 031 Let pi, . . . ,pk be 
the manifestly safe polynomials that bound the sizes of the arguments of / in ^ and let 
p'l, . . . ,p'j^ be the polynomials that bound the final sizes of said arguments. 

Part (d): Well-definedness. Let gn = g- Combine the m = n and m = n + 1 versions of 

¥ 

(115. 4p to express (T[en]*TJx])f3„ in terms of T|e„+2] and gn+i = the update to gn produced 

by the application (T[e„+i] *t It follows from the Claim that pot{gn+i{xi)) < Tlp'^Jg. 

> 

We can keep repeating this process, for m = n + 2,n + 3, . . . , to express (TlenJ *T[x])£>„ in 
terms of of T[em+i] and gm = the update to gm~i produced by the application (T[eml * 

t)Qm~i- The Claim still tells us that pot{gn+i{xi)) < Tlp[jg. Hence, the otherwise clause 
of (|15.4p can hold only finitely many m. Thus, it follows that, T|en] is defined and total. 

Part (h): Monotonicity. Note that the terms >CwtIri,ml and i2wt[r2,ml clearly sat- 
isfy monotonicity. It follows from the induction hypothesis that the terms TKAx)^] and 
ti, . . . ,tk also satisfy monotonicity. It follows from ()15.4p that if, for a particular m, the 
T|em+i] term satisfies monotonicity, then so does T|em,]. Hence, by the finiteness of the 
expansion it follows that T|e„ ] satisfies monotonicity. 

Part (c) and the Claim. By arguments along the lines of the one just given for mono- 
tonicity, one can establish soundness and the Claim for e^. 
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Part (a): Polynomial time-houndedness. Recall from Definition 1641 the definition of 
polynomial time-boundedness, the key inequality to be shown is T[e\ \\p\\ < £wt|bel \p\ foi' 
each p G Vwt|r;^l- So if p is an ATR-environment and x is a variable with a string or 
oracle value, then T[Pot(x)] \\p\\ = £wt[|a;|]|p|. Thus, for each e', T\p^i\ \\p\\ = £wt[Pe'l l/^l- 

Now, it follows from the induction hypothesis that there is an r, a polynomial time- 
bound for [Ax)C, relative to r;_. Let = ri^i^ and r'2 = ?^2,p'^- Let ^ and ^' respectively 
denote the substitutions : = pi, . . . , : = pk] and : = p\, . . . ^\xk\ : = p'^, where 
pi, . . . ,Pk,p'i, ■ ■ ■ ,p'k are the polynomials from Theorem |43] introduced before. Note that 
lla^ill ? = (i Vpi,pi). By the Claim, for each j = 1,... ,k, T[tj] ||^|| < C^tHl"^ Pj,Pj)l \p\ = 
^^tliWxjW ^] \p\. Hence, assuming poi(/:wt[|a;i|] |p|) > n, 

(T|en+i] -k i) \\p\\ < (T|en+i] ★ ( ||x||^)) (by monotonicity) 

< £wt[(r^Wr)ei|p|a(/:[e^l*(rO)llp|l {hy mM) 

< ^■wtl{r2,m W IpI ttl * (tC)) \\p\\ (by monotonicity). 

Clearly, we can repeat the above expansion (pi — n)-many times (i.e., until termination), 
collect terms, and produce the desired polynomial bound. Here is the algebra. Let s = r[^' l±) 

\Sm=oir2 tt) r)^(™), si = cost{r[(,')+p[-{cost{r2C') + cost{rC')), and S2 = poi( (r^ Vr^Vr)^' )• 

Then (T|eri] * ||p|| < /^wtH |p| < ^wtK^i, 52)! |p| by a straightforward argument. 

Thus, A|a;| . (si, S2) suffices as the polynomial time bound for e„. □ 

Scholium 80. Note that we resorted to reasoning directly about CEK-costs to obtain 
(jlS.ip . This is because if we had used Definition (63} s T-interpretation of if-then-else, then 
we would have be left without a base case in our recursive unfoldings of crec-expressions. 

We note that as a consequence of parts (a) and (c) of Theorem 1791 we have: 

Corollary 81. For each F; A h 6:7, there is a second-order polynomial qe with |r;A| h 
Qe-. I7I such that costcEKie,p) < C^tlqej\p\ for each p e VwtF; A]. 

Remark 82 (Related work). The time-complexity cost/potential distinction appears in 
prior work. A version of this distinction can be found in Sands' Ph.D. thesis [5^an90j . Shultis 
|Shu85j sketched how to use the distinction in order to give time-complexity semantics for 
reasoning about the run-time programs that involve higher types. Van Stone [VSOS] gives a 
much more detailed and sophisticated semantics for a variant of PCF using the cost /potential 
distinction. Very roughly, Shultis and Van Stone were focused on giving static analyses to 
extract time-bounds for functional programs that compute first-order functions. The time- 
complexity semantics of this paper was developed independently of Shultis' and Van Stone's 
work. We also note that Benzinger's work [BenOll IBen04j on automatically inferring the 
complexity of Nuprl programs made extensive use of higher-type recurrence equations. 

16. Complexity-theoretic completeness 

Our final result on ATR is that each type-1 and type-2 BFF is ATR computable. Con- 
ventions: In this section, let a = {ai, . . . , cr^) — > N range over simple types over N of levels 
1 or 2, and let 7, 70, 71, • • • range over ATR types. Recall from §2. 141 that / G Vic] is basic 
feasible when there is a closed type-u, PCF-expression e/ and a second-order polynomial 
function qj such that V|e/] = / and, for all Vi £ V[fTi], ■ ■ ■ ,Vk E V[(Tfc], CEK-time(e/, fi, 
■ • • jVk) < Qf{\vi\, . • . , \vk\)- Let BFFo- = the class of all type-o" BFFs. 
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Definition 83. We say that each base type is unhindered and that (71, . . . ,7^) is 
unhindered when (71, . . . ,7^) is strict, predicative and each ji unhindered. 

Note that Vwtl7l = V[s/iape(7)] if and only if 7 is unhindered. 

Theorem 84. BFFo- = { Vwtl^ 6:7] \ a = shape{'y) &i ^ is unhindered} for each a. 

Proof. Fix a and let Uo- = { Vwtll" e: 7I l cr = shape{'y) & 7 is unhindered}. 

Claim 1: lAfj C BFFq-. Proof: It is straightforward to express a crec-recursion with 
PCF's fix-construct with only polynomially-much over head on the cost of the simulation. 
Hence, the claim follows from Theorem 1791 

Claim 2: BFFo- C lA^. Proof: Kapron and Cook |KC96] showed that the type-2 
basic feasible functionals are characterized by the functions computable in second-order 
polynomial time-bounded oracle Turing machines (OTMs). Proposition 18 from [IKROl] 
shows how to simulate any second-order polynomial time-bounded oracle Turing machine 
using that paper's ITLP2 programming formalism. That simulation is easily adapted to 
ATR. Hence, the claim follows. □ 

Note: The proof's two claims are constructive in that: (i) given a closed ATR-expression 
e of unhindered type, one can construct an equivalent PCF expression e' and a second-order 
polynomial pe that bounds the run time of e', and (ii) given an OTM M and a second-order 
polynomial p that bounds the run time of M, one can construct an ATR-expression that 
computes the same function as M. 

Claim 2 can be extended beyond unhindered types as follows. For each ATR arrow- 
type 7 = (71, . . . ,7fc) — > Nf, and each type-s/iape(7) OTM M, we say that M computes a 
BFF^-function when there is a type-|7| polynomial p such that the run time of M on [v) is 
bounded by p( It'll, Itifcl). The proof of Claim 2 lifts to show: for all ATR arrow-types 7, 
each BFFj-function is ATR computable. 

17. Conclusions 

ATR is a small functional language, based on PCF, which has the property that each 
ATR program has a second-order polynomial time-bound. The ATR-computable functions 
include the basic feasible functionals at type-levels 1 and 2. However, the ATR-computable 
functions contain other functions, such as prn, that are not basic feasible in the original 
sense of Cook and Urquhart [CU93j . ATR is able to express such functions thanks to its 
type system and supporting semantics that work together to control growth rates and time 
complexities. Without some such controls feasible recursion schemes, such as prn, cannot 
be first-class objects of a programming language. 

The ATR type-system and semantics were crafted so that ATR's complexity properties 
could be established through adaptations of standard tools for the analysis of conventional 
programming languages (e.g., intuitionistic and affine types, denotational semantics for 
ATR and its time complexity, and an abstract machine that provides both an operational 
semantics for ATR and a basis for the time-complexity semantics). As ATR is based on 
PCF (a theoretical first-cousin of both ML and Haskell), our results suggest that one might 
be able to craft "feasible sublanguages" of ML and Haskell that are both theoretically 
well-supported and tolerable for programmers. 

ATR and its semantic and analytic frameworks are certainly not the final word on any 
issue. Here we discuss several possible extensions of our work. 
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More general recursions. In jDR07| we consider an expansion of ATR that allows 
a fairly wide range of affine (one-use) recursions. In particular, the expanded ATR can 
fairly naturally express the classic insertion- and selection-sort algorithms. Handling this 
larger set of recursions requires some nontrivial extensions of our framework for analyzing 
time-complexities . 

Dealing with nonlinear recursions (e.g., the standard quicksort algorithm) is trickier 
to handle because there must be independent clocks on each branch of the recursion that 
together guarantee certain global upper bounds. 

Recursions with type-level 1 parameters. Another possible extension of ATR 
would be to allow type-level 1 parameters in crec-recursions so that, for example, one could 
give a continuation-passing-style definition of prn. Because type-1 parameters in recursions 
act to recursively define functions, these parameters must be afhnely restricted just like 
principle recursor variables of crec-expressions. Consequently, such an extension must also 
include explicit ^-types to restrict these parameters. However, along with the ^-types 
come (explicitly or implicitly) tensor-products and these cause problems in analyzing crec- 
recursions (e.g., one is forced account for all the possible interactions of the affine parameters 
in the course of a recursion and so the naive "polynomial" time-bounds are exponential in 
size). 

Lazy evaluation. For a lazy (e.g., call-by-need) version of ATR, one would need to: 
(i) construct an abstract machine for this lazy-ATR, (ii) modify the T-semantics a bit to 
accommodate the lazy constructs; and (iii) rework the T-interpretation of ATR which would 
then have to be shown monotone, sound, and constructively polynomial time-bounded. 
(Since the well-tempered semantics is extensional, it requires very few changes for a lazy- 
ATR.) If our lazy-ATR allowed infinite strings, then the Vwt-semantics would also have to 
be modified. Note that Sands [San90] and Van Stone |VS03] both consider lazy evaluation 
in their work. 

Lists and streams. There are multiple senses of the "size" of a list. For example, the 
run-time of reverse should depend on just a list's length, whereas the run-time of a search 
depends on both the list's length and the sizes of the list's elements. Any useful extension of 
ATR that includes lists needs to account for these multiple senses of size in the type system 
and the well-tempered and time-complexity semantics. If lists are combined with laziness, 
then we also have the problem of handling infinite lists. However, ATR and its semantics 
already handle one flavor of infinite object, i.e., type-level 1 inputs, so handling a second 
flavor of infinite object many not be too hard. 

Type checking, type inference, time-bound inference. We have not studied the 
problem of ATR type checking. But since ATR is just an applied simply typed lambda 
calculus with subtyping, standard type-checking tools should suffice. Type inference is a 
much more interesting problem. We suspect that a useful type inference algorithm could 
be based on Frederiksen and Jones' [FJ04] work on applying size-change analysis to detect 
whether programs run in polynomial time. Another interesting problem would be to start 
with a well-typed ATR program and then extract reasonably tight size and time bounds (as 
opposed to the not-so-tight bounds given by Theorem 1 79 p . 

Beyond type-level 2. There are semantic and complexity-theoretic issues to be resolved 
in order to extend the semantics of ATR to type-levels 3 and above. The key problem is 
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that our definition of the length of a type-2 function (|2.3p does not generalize to type- 
level 3. This is because for ^ G MC((|\|_+m)^n)^n G G MC(n^n)^n, we can have 
sup{|^(-F)| 1 |-F| < |G| } = cxD, even when G is 0-1 valued. To fix this problem one 
can introduce a different notion of length that incorporates information about a function's 
modulus of continuity. It appears that ATR and the Vwt- and T-semantics extend to this 
new setting. However, it also appears that this new notion of length gives us a new notion 
of higher-type feasibility that goes beyond the BFFs. Sorting out what is going on here 
should be the source of other adventures. 
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